You can enjoy hardened Linux booting from DVD, alternatively from USB-Stick:
"Tails Linux: The Anti-NSA-PC, 04.23.2014
Can NSA crack everything, even hardest encryption? Only a UNIX/Linux based System can achieve security, means one of the authors below. Edward Snowden knows more about this than other ones. In order to make communication really secure, he decided to install the Linux-Distribution Tails. CHIP shows the Anti-NSA-PC for free [...]. Fast and simple: Tails runs as hardened Debian Linux", http://www.chip.de/artikel/Tails-Linux-installieren-Der-Anti-NSA-PC_63845971.html
Edward Snowden also recommends a in his eyes secure Linux/UNIX-derivate on News&Links#Computer and News&Links#Alternatives and secure apps.
But if the well-known referencial Computer-system resp. "Universal-Linux" we are going to introduce should ever not be such secure as it ought to be, the setting of the ro-option standing for read-only for the root-partition in /etc/fstab resp. /boot/grub/menu.lst (grub1, analogous grub2) past all the installing and updating can create a shoot-steadfast Linux even on harddrives doing its best.
Darknet-Browser Tor is ready for Android: You can surf complete anonymously with your handy, CHIP, 27.05.2019
The Tor-Browser is rated as a symbol for anonymes surfing in the internet and the easiest way into the Darknet. Now a ready version of the browser was provided in the Google Play Store. We show you, howto surf with this browser by upon your Android smartphone over the Tor-network.
https://www.chip.de/news/Darknet-Browser-Tor-fuer-Android-fertig-Am-Handy-komplett-anonym-surfen_148414180.html
Year 2016: Incredible high rubbish-hills of packages for not actual Linux-distributions are still provided by contributors like fr2.rpmfind.net and pbone.net. Most distribution versions can not be kept up-to-date, while the update-list from pro-linux.de is increasing day by day. Linux, comment from newsgroup alt.linux.suse, year 2003:
"I am so happy, that my linux run stable for the last 12 hours!".
More today:
Red Hat Enterprise Linux 7.1 receives extended security certifications, Pro-Linux, 14.12.2017
Without modification, Red Hat Enterprise Linux got certified for the "General-Purpose Operating System Protection Profile" (OSPP) 3.9. Now Red Hat Enterprise Linux can be used and applied in security-critical environments.
.
https://www.pro-linux.de/news/1/25437/red-hat-enterprise-linux-71-erhält-erweiterte-sicherheitszertifikation.html
Date: 30.03.2011, thanks, we got it: [espeak -v en "] Secure, 
mouseclick-fast upon MS Windows 7 and Linux and all belonging Linux-games: (bohemian) 19 W power consumpting computer ASUS (mini) ITX-220 from year 2009/2010 with a socked, crasfree bios, onboard Intel-soundchip, onboard Atheros-LAN-Chip and -ROM and onboard INTEL graphics, AOC WLED-TFT less 18 Watt with more than one million working hours, all for about 200 €. Looking upon technical revisions and software-rpm-packet-changelogs one notices, the world gave its best: 2010 - (quit) everything has been made for computers - magic year of fast, ergonomic, powersaving hardware, year of Mandriva 2010, year of CentOS 6 ( DVD CentOS 6 (actual tenth-revision, with many updates and patches by Jonny Hughes, NY) for 4,95 € or for free out of the internet ) and the for the more than 50.000 next ten years (until year 2026) fixed and patched packet-versions of Fedora Project resp. the in a careful way resulting and ( Fedora Core (fc) - ) backported Enterprise Linux (el) resp. CentOS 6, where its IT-security raised up quit to maxium by concept with methods, configurations and updates we want to present here on this webside, so that computer-technique got solved (after a long, long time ...): error-free (total: since python-stablity-patch from year 2016), free from trojans, hacker, viruses, spyware, adware, everything. Day after day the amount of still missing software declined and you still have to keep the computer up to date sometimes by installing some updates. Up to that year, the paid prices for different Linux distributions can exceed even those of other operating systems. But now you won´t have any difficulties. Text to the illustration from the top, Build your final
"UNIVERSAL COMPUTER with UNIVERSAL-LINUX"
consisting of up to 100 DVD a 4,4 GB full of rpm- and deb-packages (Debian) and many Tarballs from anywhere ON THE DAILY UPDATE-PATCH-CHANNEL (fc, el6/sl6) http://www.pro-linux.de/sicherheit/1/1/1.html) and belonging more Packages from pkgs.org, fr2.rpmfind.net and pbone.net. All kind of Linux-games run fine too.
Similar to Scientific Linux, "
CentOS" stands for "Community Enterprise Operating System". It is based to 100% upon the source code of Red Hat Enterprise Linux. The only difference is, that commercial support is missing. Typical CentOS-user are organizations and private people aiming for a stable Enterprise-operating-system without the need of commercial support. The stable versions of CentOS are supported with (RPM-) acutualizations for ten years.
CentOS is a Linux-Distribution from Red Hat with the same source code like Red Hat Enterprise Linux. Since January 2014 CentOS belongs to Red Hat as a costly free alternative to Red Hat Enterprise Linux for all those, that do not need commercial support for Red Hat Enterprise Linux. Even no one guarantees, CentOS in fact is almost compatible with Red Hat Enterprise Linux.
https://www.pro-linux.de/news/1/27054/centos-8-benötigt-noch-etwas-zeit.html
What we are going to describe in the following:
No hacker, no virusses, no trojans, no malware, no ad- and no spyware, no ransomware, no dangerous scripts, rare resp. no left traces in the net, ..., nothing of it, and no kernel up from 2.6.39 (if stable) and not much root owned processes, that can affect the computer system anymore: use
-
command dd for secure working with the partitionwise restores and backups started from an encrypted rescue partition, usb-memory-stick or DVD like Knoppix together with cryptsetup (LUKS) installed,
-
ipables-based firewall linfw3,
-
port scan detection (psad, psd),
-
intrusion detection sysems (IDS)
-
the local dns-cache dnsmasq
-
and adblocker like our listing importing konqueror-adblocker and free useragent-settings and other extensions for your browser together with
-
sandbox firejail (pclos),
-
configure /etc/fstab for the declaration of the partitions and file systems, in our case ext4 under security aspects,
-
configure /etc/passwd for the blocking shells,
-
set owner- and access-rights,
-
ACL (setfacl/getfacl),
-
use MAC (apparmor, tomoyo) and
-
chattr upon UNIX/Linux-filesystems and follow the
-
configurations and methods introduced here on this webside to make security really possible! Profit from
-
end-to-end-encrypting TLS/SSL used by browser like Konqueror, Firefox, Firefox ESR resp. Tor-Browser (Firefox ESR) and
-
pgp/gpg- and TLS-based e-mail-clients like Thunderbird and/or Kmail, claws-mail with claws-mail-plugins, ...
-
all this upon a Luks/dm-crypt and dracut full encrypted computer-system (FSE), going sure also with a read-only set (and by dracut LUKS-encrypted) root-partition.
HOWTO: Either you install the version of an actual (new) Linux-distribution after the expiration of the updates for your installed one, we recommend
Debian Linux resp. Ubuntu, SuSE Linux, Fedora, the in a careful way from Fedora resulting and backported CentOS (resp. RedHat), Rosa and Openmandriva, PCWelt: Ubuntu and Mint, or you install the covering and approved (and many, many TOP-games on the base of OpenGL and SDL including) el6, mdv2010.0 resp. mdv2011, mga1 up to mga3 or any rpm-distribution of the last decades from fr2.rpmfind.net and care for its updates. For mdv2010.0 you think of updating with the secure running autumn- and spring- updatening version mdv2010.1 and mdv2010.2 to mdv2010.2 (65 GB, around 15 DVD).
How does this work? It´s easy (or it sound so): All you need for the next time in principle is "any" Linux-distribution from DVD/CD, USB-memory-stick or per download out of the internet etc., one that is named by PRO-Linux (http://www.pro-linux.de/1/1/sicherheit.html) withiin the hugh update-listing of the last ten, twenty years. Install this distribution following the self activating installation instructions onto an installation media (we recommend an at least 120 GB Solid State Disk (SSD with an at least 65 GB sized main- resp. root-partition and at least 2 GB SWAP-partition)) and eventually more single programms resp. packages with the help of an as much expressive packagemanger as possible. We recommend Debian Linux or a ( Fedora Core - ) backported and long-update-support guaranteeing Linux-Distribution (like RedHat resp. CentOS and Scientific Linux el6 and el7). Regardless from the amount of software resp. packages, this Linux-Distribution can be considered as a
gear to the big UNIX/Linux- and its emulation-world of even more, we recommend actual UNIX-/Linux-distributions, actual updates and all kind of software and games. Emulation means, that with the help of emulators (like Wine for MS Windows) and virtual machines like Xen and Qemu software running upon other operating systems can be used too. Notice, that it is possible to install all software on the installation media at once without risking too much. The important thing is, that it is possisble to upgrade the Standard-GNU-C-library (glibc) of this distribution, so that the kernel of the LONGTERM-series out of kernel-3 and -4 can be upgraded too..
A securing 1:1 partioned media should not miss! Perform all security methods introduced in future point by point as soon as possible, as the installation is endangered extremely (by hacker and so on) with the very first built-up connection to the net!
quot;There is not much diffrence between the Linux-Distributions / Der Unterschied zwischen den Linux-Distributionen ist nicht sehr groß mit Ausnahme der Basisinstallation und der Paketverwaltung. Die meisten Distributionen beinhalten zum Großteil die gleichen Anwendungen. Der Hauptunterschied besteht in den Versionen dieser Programme, die mit der stabilen Veröffentlichung der Distribution ausgeliefert werden. Zum Beispiel sind der Kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. in allen Linux-Distributionen vorhanden."
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html
Right up from the very beginning - installing an OS like UNIX/Linux
... most already through installation media:
format -" partitioning -> format -> encryption (full system encryption, FSE) -> format -> installation (from extern media) -> configuration -> defragmentation (not essential for many UNIX/Linux file systems) -> encryption (full system encryption, FSE) -> (backup with dd and) actualization -> configuration -> (backup with dd and) actualization ( ... notice total time needed: ? )
Alternatively: Some nice "guy" or so does many things for you by mirroring almost completed system from his onto your own media (SSD (sdx), harddisc (S-ATA: sdx, IDE: hdx, CD-/DVD, USB-memory stick, ...). This can save plenty of time (look out for the right processor architecture (x86_64, i686, ...) and set /etc/X11/xorg.conf for the next time to vesa or fb)! Do this mirroring with a command like: "dd if=/dev/sda of=/dev/sdb"
Use sdd instead of dd to see a progress bar.
Used editor in the following: nano
First this webside introduces some configurations, followed by actualization, partitioning, encryption during the introduction of basic shell-commands.
Mounting partitions the right way
When mounting an Ext file system (ext2, ext3 or ext4), there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition:
/dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2
You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it:
only applies to ext2 or ext3 file systems
can be circumvented easily
The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:
alex@joker:/tmp# mount | grep tmp
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
alex@joker:/tmp# ./date
bash: ./date: Permission denied
alex@joker:/tmp# /lib/ld-linux.so.2 ./date
Sun Dec 3 17:49:23 CET 2000
Newer versions of the kernel do however handle the noexec flag properly:
angrist:/tmp# mount | grep /tmp
/dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
angrist:/tmp# ./date
bash: ./tmp: Permission denied
angrist:/tmp# /lib/ld-linux.so.2 ./date
./date: error while loading shared libraries: ./date: failed to map segment
from shared object: Operation not permitted
However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.
Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see Bug 116448.
The following is a more thorough example. A note, though: /var could be set noexec, but some software [21] keeps its programs under in /var. The same applies to the nosuid option.
/dev/sda6 /usr ext3 defaults,ro,nodev 0 2
/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2
/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2
/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2
/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0
/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0
/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
Postfix - shorten information
/etc/postifx/main.cf
smtpd_banner = DOLLARSIGNmyhostname ESMTP DOLLARSIGNmail_name (FreeBSD/GNU)
... that means without version number and eventually with a new operating system name.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html
dbus (messagebus): Secure up single service-files
dbus of many versions does make mistakes from time to time, by removing single service-files out of /usr/share/dbus-1/services and /usr/share/dbus-1/system-services from time to time without being allowed.
Therefore all service-files should be backuped in any backup-directory.
Exchange "Exec=kded" into "Exec=kded4"
nano /usr/share/dbus-1/services/org.kde.kded.service
[D-BUS Service]
Name=org.kde.kded
Exec=/usr/bin/kded4
Just update by the kernel-binary (kernel-...rpm) or configure, patch and compile the kernel-source (kernel-...rpm.src)
We assume, that any rpm-based Linux-Distribution is already installed on a storage media like harddisc. Our section for updates refers to RedHat, CentOS oder Scientific Linux, Fedora Core, PCLinuxOS, ROSA, Mageia oder Mandriva.
How to configure, patch and compile kernel-sources: Download and install all binary rpm required for the kernel. Then download, install or enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package", rpm on the kernel-source-rpm or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig".. A file .config is created to configure the kernel.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel (pclos, rosa2016.1, el8, el7) and kernel-desktop (mdv2011) but not kernel (el6):
Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consists of many of them and some of them are caused by kmem.h, while the quit restless error-free (only a few small patches 2012-2016 inclusive dirty-cow are known!) kernel-2.6.39.4-5.1 (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! This is the best sign for good and secure running code. The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c.
http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/
Kernel: We recommend kernel 4 (we chose 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos)), but do describe 2.6.39.4-5 now (also running on some playstations and so on) patched up to date by sources (containing the dirty-cow-patch in main), consisting of less compilation warning and no errors than 2.6.32 (el6). This mdv-kernel is described from patch-sources like http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/, kernel itself from http://fr2.rpmfind.net/linux/kernel/v2.6/linux-2.6.39.4.tar.xz: kernel-desktop (mdv2011): glibc (pclos, mga6), module-init-tools (we recommend mdv2011, but you can also use el6, up to 3.16; append ".conf" to all files in /etc/modules.d; module-init-tools (mdv2011) never makes trouble with it), coreutils (el6), initscripts (mdv2011, pclos and el6 as depecited below), util-linux (mdv2011 or el6 except /bin/mount, /bin/mount and /lib64/libmount* you have to delete after enpacking the rpm (not installing!) and copying its include), kernel-firmware (pclos, slack14.2 with more than 250 MB unpacked, mga6, el6), if you want
plus kernel-firmware (OpenSuSE 42.1, 32 MB) plus kernel-firmware (OpenSuSE 13.2) plus linux-firmware (fc27, 35 MB) plus kernel-firmware-extra (pclos, rosa2014.1), kernel-headers (el6), kernel-doc (el6), ksymoops (OpenSuSE 12.2, mdv2011), coreutils (el6), coreutils-libs (el6), binutils (fc25, el6), nss (el7, el6, fc30), nss-softokn (el7, el6, fc30), nss-sysinit (el7, el6, fc30) und nss-softokn-freebl (el7, el6, fc30), nss-util (el7, el6, fc30), nss-tools (el7, el6, fc30) .
glibc (el8: 2.28, pclos: the actual 2.31, mga6: 2.22, fc, for printers with 32-bit driver only like Brother install glibc (2.22, el6) too and relink and delete adequately in /lib),
In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.
All patches for 2.6.39.4-5.1 until now are available in the internet from http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/.
compiler-gcc5, add-timesys-bootlogo, dirty-cow, lantronix-ts1, no-setlocalversion, no-unused-but-set-variable, revert-nfsroot, timeconst.pl-eliminate-perl-warning, ltrx-image-rom and yaffs2.
Patch: patch (el6, fc27, mdv2010.1) has to be installed. Then type
"patch -p1 < ../patchname.patch "
But at first do the following:
Actual Kernel: how to install a patched kernel-source: A lot of freed partition (memory) is required, maybe plenty of Gigabyte. Download and install all binary rpm required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller.
Two possibilites:
1) building a kernel-rpm out of the sources after applying the patches: Configure the spec-file of the installed source-rpm by adding or commenting in and out the patches to build a new binary kernel-rpm to install or update: https://www.howtoforge.de/anleitung/wie-man-einen-kernel-kompiliert-auf-fedora/. For CentOS and mdv depending on the package manager use command "rpm -ba" instead of "rpmbuild -ba" kernel-xxx.spec to create the binary..
2) Configure the sources and compile them:
A new directory named "linux-kernelversion" or "kernel-source-kernelversion" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-kernelversion linux" resp. "ln -sf kernel-source-kernelversion linux".
Change into this directory linux resp. linux-kernelversion resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel. Copy .config to include/config/auto.conf
If you do not know, what to enable or not, choose MM
(M) or (CC) to load as a module wherever possible,
(A) or (CC MM) auto-load the module or
(-): resign from the module.
Example (module extraction of kernel-2.6.39-40.src.rpm)
General Preparation of Linux, kernel-2.6.39-40.src.rpm
In order to take a firewall in use, kernel support for iptables and modules should be enabled.
Open a konsole and enter one of the statements
make menuconfig for the Dialog-GUI,
male xconfig for tk-GUI or
make gconfig with GTK or
make config
Choose kernel options within
Networking options --->
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
.
(
M) Userspace queueing via NETLINK (EXPERIMENTAL)
(M) IP tables support (required for filtering/masq/NAT)
(M) limit match support
(M) MAC address match support
(M) netfilter MARK match support
(M) Multiple port match support
(M) TOS match support
(M) Connection state match support
(M) Unclean match support (EXPERIMENTAL)
(M) Owner match support (EXPERIMENTAL)
(M) Packet filtering
(M) REJECT target support
(M) MIRROR target support (EXPERIMENTAL)
.
(M) Packet mangling
(M) TOS target support
(M) MARK target support
(M) LOG target support
(M) ipchains (2.2-style) support
(M) ipfwadm (2.0-style) support
think of other options (modules), store this configuration.
Before iptables can be used, the kernel module netfilter for the support of iptables has to be loaded e.g. by the statement modprobe:
# modprobe ip_tables
kernel-firmware (binary blobs within /lib/firmware, rpm kernel-firmware (around 250 MB) and/or kernel-firmware-extra ):
For kernels before 4.18:
KERNEL Enable support for Linux firmware
Device Drivers --->
Generic Driver Options --->
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(/lib/firmware) Firmware blobs root directory
For kernels beginning with 4.18:
KERNEL Enable support for Linux firmware
Device Drivers --->
Generic Driver Options --->
Firmware loader --->
-*- Firmware loading facility
() Build named firmware blobs into the kernel binary
(/lib/firmware) Firmware blobs root directory
Type "make dep && make clean && make mrproper" .
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from, or for a pregiven configuration type "make oldconfig".
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.
Save the new .config.
Set the Kernel-Version at the top of the makefile.
Three possibilites, after the patching of the source-code like the dirty-cow-patch:
patch -p1 < ../any_patch.patch
apply all other patches in this way
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make all # or
make dep (dependency properties to establish the relationship)
make clean (to remove the old data)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &,& make modules && make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot. If dracut does not work anymore ex. as a cause of updates, rename the new-kernel-version to the old-kernel-version in Makefile and make bzImage once again.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.
done.
Installation guide and for tuning Linux secure: https://wiki.kairaven.de/open/os/linux/tuxsectune and https://wiki.centos.org/HowTos/OS_Protection ( in our example related to mdv2010.2 or CentOS 6 el6 with many patches/updates by Jonny Hughes, NY ). Be careful, for example with the exchange of the password-encryption from md5 to sha256 or sha512 and the /etc/system-auth. Make backup or copies!
Through "about:config" many URL can be removed out of the listing after typing in "http".
Using Compile-time-Hardening-Options
Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks or provide additional warning messages during compiles. Using "dpkg-buildflags" is the recommended way to incorporate the build flags in Debian.
See ReleaseGoals/SecurityHardeningBuildFlags for additional information, https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags.
For a step-by-step guide, see the HardeningWalkthrough, https://wiki.debian.org/HardeningWalkthrough.
Source: https://wiki.debian.org/Hardening
Fedora/CentOS etc: https://fedoraproject.org/wiki/Changes/Harden_All_Packages
Listing: Linux-Security-Updates up from year 2000, PRO-LINUX.de
... of the most important distributions with naming the closed error, bug resp. exploit
https://www.pro-linux.de/sicherheit/1/1/1.html
Recent LWN.net security pages
Here are the most recent LWN.net security pages, with a comprehensive roundup of a week´s worth security-related information.
Date Contents
Apr 12, 2017 Network security in the microservice environment; Two Project Zero reports; ..
.
Apr 05, 2017 ARM pointer authentication; Quotes; Exploiting Broadcom WiFi; ...
Mar 29, 2017 refcount_t meets the network stack; Quotes; ...
Mar 22, 2017 Inline encryption support for block devices; Shim review; ..
.
Mar 15, 2017 A kernel TEE party; Quotes; Struts 2 vulnerability; ...
Mar 08, 2017 A new process for CVE assignment; Smart TV bugging quotes; Threat modeling ...
Mar 01, 2017 The case of the prematurely freed SKB; SHA-1 collision and fallout; ...
Feb 22, 2017 The case against password hashers; New vulnerabilities in dropbear, kernel, nagios-core, qemu, ...
Feb 15, 2017 A look at password managers; New vulnerabilities in kernel, libevent, mysql, php, ...
Feb 08, 2017 Reliably generating good passwords; New vulnerabilities in epiphany, graphicsmagick, gstreamer (and plugins), spice, ...
Feb 01, 2017 The Internet of scary things; New vulnerabilities in ansible, chromium, kernel, mozilla, ...
Jan 25, 2017 Security training for everyone; New vulnerabilities in fedmsg, firejail, java, systemd, ...
Jan 18, 2017 Ansible and CVE-2016-9587; New vulnerabilities in bind, docker, qemu, webkit2gtk, ...
Jan 11, 2017 SipHash in the kernel; New vulnerabilities in kernel, kopete, syncthing, webkit2gtk, ...
Jan 04, 2017 Fuzzing open source; New vulnerabilities in bash, httpd, kernel, openssh, ...
Dec 22, 2016 OWASP ModSecurity Core Rule Set 3.0; New vulnerabilities in apport, kernel, libupnp, samba, ...
Dec 14, 2016 ModSecurity for web-application firewalls; New vulnerabilities in jasper, kernel, mozilla, roundcube, ...
Dec 07, 2016 Locking down module parameters; New vulnerabilities in chromium, firefox, kernel, xen, ...
Nov 30, 2016 Django debates user tracking; New vulnerabilities in drupal, firefox, kernel, ntp, ...
Nov 16, 2016 Reference-count protection in the kernel; New vulnerabilities in chromium, firefox, kernel, sudo, ...
https://lwn.net/Security/
Setting /usr read-only for the separate usr-partition
If you set /usr read-only (in /etc/fstab), you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.
To do this modify /etc/apt/apt.conf and add:
DPkg
{
Pre-Invoke { "mount /usr -o remount,rw" };
Post-Invoke { "mount /usr -o remount,ro" };
};
Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running
# lsof +L1
Stop or restart these programs and run the Post-Invoke manually. Beware! This means you´ll likely need to restart your X session (if you´re running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system ( and please notice, that this might not be recommended, if there is an encrypted root-partition), see also this discussion on debian-devel about read-only /usr.
We are going to encrypt even more the complete system (FSE) by reliable LUKS, including the complete root- and home-partition (and USB-media) to set partitions unwriteable to read-only. Notice, that this does not exclude the same for a separate usr-partition.
/etc/pam.d/system-auth ( tested just on our platform and system ):
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_tcb.so shadow
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=0
password sufficient pam_unix.so try_first_pass use_authtok sha512 shadow remember=2
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
More about pam-modules:
http://www.linuxdevcenter.com/pub/a/linux/2001/09/27/pamintro.html?page=2
https://linux.die.net/man/5/pam.d
One more things with PAM:
Use encryption other than DES for your passwords (making them harder to brute-force decode).
Set resource limits on all your users so they can´t perform denial-of-service attacks (number of processes, amount of memory, etc).
Enable shadow passwords (see below) on the fly.
Allow specific users to login only at specific times from specific places.
Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user´s home directories by adding these lines to /etc/pam.d/rlogin:
#
# Disable rsh / rlogin / rexec for users
#
login auth required pam_rhosts_auth.so no_rhosts
Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698
Account locking
While having strong passwords in place for user accounts can help thwart brute force attacks as mentioned previously in point 18 - Enforce strong passwords, this is only one way of slowing down this type of attack. A good indication of brute force attack is a user account that has failed to log in successfully multiple times within a short period of time, these sorts of actions should be blocked and reported. We can block these attacks by automatically locking out the account, either at the directory if in use or locally.
The pam_tally2.so PAM module can be used to lock out local accounts after a set number of failures. To get this working I have added the below line to the
/etc/pam.d/password-auth file.
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200
This will log all failures to the /var/log/tallylog file and lock out an account after 3 consecutive failures. By default it will not deny the root account however we can also lock out root by specifying even_deny_root (though this may not be required if you have disabled root access as per point 3 - Disable remote root access and point 4 - Disable root console access). The unlock time is the amount of seconds after a failed login attempt that an account will automatically unlock and become available again.
Failed logins can be viewed as below, to view all failures simply remove the --user flag.
[[email protected] ~]# pam_tally2 --user=bob
Login Failures Latest failure From
bob 4 08/21/15 19:38:23 localhost
The failure count can be manually reset by appending -reset onto this command.
pam_tally2 --user=bob --reset
If a login is successful before the limit has been reached the failure count will reset to 0. For more details see the pam_tally2 manual page by typing ´man pam_tally2´.
It´s worth noting that the manual page advises to configure this with the /etc/pam.d/login file, however I found that under CentOS 7 this did not work and needed to use the /etc/pam.d/password-auth file instead. I also tried using /etc/pam.d/system-auth which I found documented elsewhere but this also failed, so this may differ based on your operating system.
You can also manually lock and unlock local user accounts rather than waiting for the failure limit to be reached.
Lock the user account ‘bob´.https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/#4
Quelle: https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
pam_tcb.so: Migrating from shadow passwords to tcb in Linux
For a more secure Linux password system, a migration from shadow passwords to tcb is worth a little extra work. Vincent Danen tells you what you need to recompile and patch.Wechsel von shadow-Passwörtern nach tcb in Linux.
"Shadow passwords have been a de facto standard with Linux distributions for years, and as well as the use of md5 passwords. However, there are drawbacks to using the traditional shadow password method, and even md5 is not as secure as it used to be. One drawback to the shadow password file is that any application that requires looking up a single shadow password (i.e., your password) also can look at everyone else´s shadow passwords, which means that any compromised tool that can read the shadow file will be able to obtain everyone´s shadow password."
Install pam_tcb (like pam_tcb(pclos) and other pam-module-rpm). If the encryption should be blowfish, install the package bcrypt.
Source and howto: https://www.techrepublic.com/article/migrating-from-shadow-passwords-to-tcb-in-linux/
alternatively: Migrating to tcb, http://www.opennet.ru/man.shtml?topic=tcb_convert&category=8&russian=2
After performing the howto (but still resigning from blowfish and the deletion of the shadow-files), our modified /etc/pam.d/system-auth has got the include:
#%PAM-1.0
auth optional pam-mount.so try_first_pass
auth required pam_env.so
auth sufficient pam_tcb.so
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=1200
account sufficient pam_tcb.so
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=1
password sufficient pam_tcb.so use_authtok tcb write_to=tcb
password required pam_deny.so
session optional pam_mount.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so
and /etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200
auth sufficient pam_tcb.so shadow fork prefix=DOLLARSIGN2aDOLLARSIGN count=8
auth required pam_deny.so
account required pam_tcb.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_tcb.so try_first_pass use_authtok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so
/etc/nsswitch.conf:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
passwd: files
shadow: files +root +surfuser -ALL
group: files
hosts: files [success=return] dns [success=return]
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
ipnodes: files
sendmailvars: files
automount: files
aliases: files
More details about /etc/nsswitch.conf: https://docs.oracle.com/cd/E24841_01/html/820-2980/ipconfig-42.html
You should try the originally meant "shadow: tcb nisplus nis" instead and set hosts to "hosts: files ... dns ..." into this recommended order.
and with pam_tcb.so for all pam_unix.so in /etc/pam.d/*
This all makes the computer once more mouseclick-fast and secure.
Disable Root Console Access
The previous step disables remote access for the root account, however it will still be possible for root to log in through any console device. Depending on the security of your console access you may wish to leave root access in place, otherwise it can be removed by clearing the /etc/securetty file as shown below.
echo > /etc/securetty
This file lists all devices that root is allowed to login to, the file must exist otherwise root will be allowed access through any communication device available whether that be console or other.
With no devices listed in this file root access has been disabled. It is important to note that this does not prevent root from logging in remotely with SSH for instance, that must be disabled as outlined in point 3 - Disable remote root access above.
Access to the console itself should also be secured, a physical console can be protected by the information covered in point 13 - Physical security.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
Limited amount of processes, source. Arch Linux
On systems with many or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing fork bombs and other denial of service attacks. /etc/security/limits.conf determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. adding the following lines to this file will limit all users to 100 active processes, unless they use the prlimit command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. Do not set the limit too low. System can malfunction.
* soft nproc 300
* hard nporc 320
# user soft nproc 200
# user hard nproc 250
# surfuser soft nproc 60
# surfuser hard nporc 80
toruser soft nproc 80
toruser hard nporc 100
librepository (el6), libsafec-check (fc30, fc29): Finds unsafe APIs
This once more makes computer
mouseclick-fast!
Bastille, msec, rkhunter, chkrootkit, clamav (clamscan, klamav), maldetect, checksec, seccheck, xsysinfo, smartd, nessus, tkcvs and cervisia, ...
At this place think of programs like bastille and msec (rosa2016.1, rosa2014.1) to check out lacks in system security, before going on with the manual configuration hook by hook. Such programs with own graphical frontends resp. wizards protocol lacks in security and are able to automatically reconfigure the system even more secure.
Two-Factor-Authentification
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.
There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
... can´t believe it, remark by Gooken:
As executed programs (processes), think of text processing and terminal, do already exist in the RAM...
All INTEL-CPU-generations since Celeron
"We can read out everything!", tagesschau.de, 04.01.2017
As a consequence of a newspaper-report scientific researches from the Technical University Graz exposed the newest security-exploit in many computer processors. "We were shocked ourself, that this functions", said Michael Schwarz from TU Graz to "Tagesspiegel".
By this exploit all data could be read out, that are in actual process by the computer.
"In Principle we could read out all actually entered by the keyboard." Attackers could also get
data from Onlinebanking or
stored passwords. "Therefore they must intrude into the computer", Schwarz restricted.
Serious hard lack in security in all Intel-CPUs, PC-WELT, 03.01.2018
A serious hard lack was found in Intel-processors of the last 10 years (excpet the one introduced by us in our data-sheed, rem., Gooken). Its closure costs performance.
https://www.pcwelt.de/a/schwere-luecke-in-allen-intel-cpus-entdeckt,3449263
What to do:
Data sheed:
Plattform: ITX-220: is not listed in the table for exploited mainboards by Intel (1) and an exploit remaind undetected as the helping-tool for belonging system-analyzes from Intel indicated (intel-sa00086.zip for Linux) (2). Result: Modul MEI (2) can not be found (this module can be integrated by the command "modprobe mei" manually or within /etc/modules each boot or dracut right up from the system-start).
Is there a workaround/fix?
- There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre, https://meltdownattack.com/
- iucode-tool (pclos2018)
-
CPU: mouseclick-fast and secure: microcode_ctl ( do not get irritated by any other versions, install fast working (microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29: 2.1-34, rosa2016.1) upon el6 ) or ucode-intel ( OpenSuSE, >= 20190618-lp151.2.3.1.x86_64.rpm ), against ZombieLoad too (in order to get activated by console), we recommend the mouseclick-fast microcode_ctl (rosa2016.1), upon microcode_ctl (el6, rpm -i --force). Take the fastest actual microcode_ctl like microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29, rosa2016.1. In order to use microcode_ctl, flash the CPU by executing the command "microcode_ctl -Qu" each boot after entering it in /etc/rc.local or out of /usr/share/autostart. If it is not booted, the CPU will work upon its initial (default) microcode again.
Howto start microcode_ctl, for example add into /etc/rc.local:
echo 1 > /sys/devices/system/cpu/microcode/reload
sh /usr/libexec/microcode_ctl/reload_microcode
or
start microcode_ctl automatically each boot by belonging udev-rule (number 83).
Changelog microcode_ctl
* Fr Dez 15 2017 Petr Oros poros@redhat.com - 1:1.17-25.2
- Update Intel CPU microde for 06-3f-02, 06-4f-01 and 06-55-04
- Add amd microcode_amd_fam17h.bin data file
- Resolves: #1527357
- Intel: Tools for ME-security-exploits, 24.11.2017, https://www.pro-linux.de/news/1/25369/intel-werkzeug-f%C3%BCr-me-sicherheitsl%C3%BCcken-vorgestellt.html
- kernel-4.20.13 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and the reintegrated KPTI-/KAISER-patch
- "modprobe mei" or start or stop the load of module mei in /etc/modules by entering resp. removing the line "mei" MEI in this matter was mentionded in Intel-security-checks as one part of the main risk.
After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
- Update Firefox to 57.0.4 resp. 52.5.3-ESR (OpenSuSE) - Security fixes to address the Meltdown and Spectre timing attacks - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ - Require new nss 3.34 (fixed rhbz#1531031) - Disabled ARM on all Fedoras due to rhbz#1523912
- Nvidia vs. Spectre: New Nvidia-drivers protect against Spectre-CPU-attacks, https://www.pcwelt.de/a/neue-nvidia-treiber-schuetzen-vor-spectre-cpu-attacken,3449339
NVIDIA graphics drivers (USN-3521-1, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown?_ga=2.181440484.2145149635.1515760095-1741249263.1499327986)
- Webkitgtk+ (USN-3530-1)
- QEMU (USN-3560-1)
- libvirt (USN-3561-1)
- Cloud Images: Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases: ...
Beneath microcode_ctl (rosa2016.1, el6) look out for actual kernel-firmware (el6) and kernel-headers (el6) too. Take those from year2020, making it all mouseclick-fast !
Firewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".
Test, if the system is secure now, protected well against Meltdown and Spectre, type into terminal the command:
head /sys/devices/system/cpu/vulnerabilities/*
You can update the kernel, if not.
https://www.pcwelt.de/tipps/CPU-Sicher-vor-Meltdown-Spectre-und-Co-10593390.html
Integrate sensors and chips from mainboard:
Paket lm_sensors (pclos)
sensors-detect
modprobe for found modules: enter them into /etc/modules ( for ITX-220: it87, coretemp, i2c-dev, mei)
Notice: It might be mouseclick-fast and more seucre not to enter them into /etc/modules.
LAN-Chip: eventually activate it through CMOS-BIOS-Setup (default: inactive)
Logging off idle users
Idle users are usually a security problem, a user might be idle maybe because he´s out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:
because the user´s console might be unlocked and can be accessed by an intruder.
because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).
Some remote systems have even been compromised through an idle (and detached) screen.
Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:
If bash is the user shell, a system administrator can set a default TMOUT value (see bash(1)) which will make the shell automatically log off remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it.
Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly.
Install autolog and configure it to remove idle users.
The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell.
Linux: TMOUT To Automatically Log Users Out
last updated May 18, 2011 in Categories BASH Shell, Linux
How do I auto Logout my shell user in Linux after certain minutes of inactivity?
Linux bash shell allows you to define the TMOUT environment variable. Set TMOUT to automatically log users out after a period of inactivity. The value is defined in seconds. For example,
export TMOUT=120
The above command will implement a 2 minute idle time-out for the default /bin/bash shell. You can edit your ~/.bash_profile or /etc/profile file as follows to define a 5 minute idle time out:
# set a 5 min timeout policy for bash shell
TMOUT=300
readonly TMOUT
export TMOUT
Save and close the file. The readonly command is used to make variables and functions readonly i.e. you user cannot change the value of variable called TMOUT.
How Do I Disable TMOUT?
To disable auto-logout, just set the TMOUT to zero or unset it as follows:
DOLLARSIGN export TMOUT=0
or
DOLLARSIGN unset TMOUT
Please note that readonly variable can only be disabled by root in /etc/profile or ~/.bash_profile
https://www.cyberciti.biz/faq/linux-tmout-shell-autologout-variable/
Or assign a value for SHELL_TIMEOUT (TMOUT) in /etc/security/msec/level.secure
SHELL_TIMEOUT=300
Restricting access to kernel pointers in the proc filesystem, source: Arch Linux
Note: linux-hardened sets kptr_restrict=2 by default rather than 0.
Enabling kernel.kptr_restrict will hide kernel symbol addresses in /proc/kallsyms from regular users without CAP_SYSLOG, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you´re compiling your own kernel, this can help mitigating local root exploits. This will break some perf commands when used by non-root users (but many perf features require root access anyway). See FS#34323 for more information.
/etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict = 1
Next point fstab-Option hidepid for proc from source Arch Linux should be applied once more at your own risk:
hidepid
"Warning: This may cause issues for certain applications like an application running in a sandbox and Xorg.
.
The kernel has the ability to hide other user-processes, normally accessible via /proc, from unprivileged users by mounting the proc filesystem with the hidepid= and gid= options documented here.
This greatly complicates an intruder´s task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program doesn´t reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.
The proc group, provided by the filesystem package, acts as a whitelist of users authorized to learn other users´ process information. If users or services need access to /proc/ directories beyond their own, add them to the group.
For example, to hide process information from other users except those in the proc group:
/etc/fstab
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 "
In the following and therefore just for our paranoid view, only some more security-points, now from debian.org, https://www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html up to https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html, might interest like:
Choose a BIOS password
Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn´t boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don´t depend on this measure to secure console access to system.
Set
- Supervisor Password
- User Access Level from Full Access, View Only or Limited to No Access - this prevents user acsess onto the BIOS-Setup-Utility, so that no changes of the settings are possible anymore. Now the BIOS is protected.
- User Password
- Password Check from (only for BIOS-)Setup to Always
Turn Off IPv6
If you´re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn´t required on the server. Go to network configuration file and add followings lines to disable it.
nano /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
https://www.tecmint.com/linux-server-hardening-security-tips/
Boot-process: If the message "Can not stat ( a named ) initscript" occurs during system boot, delete this initscript through all six runlevel and in directory init.d by
rm -df /etc/rc0.d/initscript-name
rm -df /etc/rc1.d/initscript-name
...
rm -df /etc/rc6.d/initscript-name
rm -df /etc/init.d/initscript-name
Activate resp. deactivate kernel-moduls
Get a listing of the kernel-modules by the terminal command lsmod.
In order to make the computer mouseclick-fast, all kernel modules without essential use have to be removed from /etc/rc.modules, while this file enpossibles to integrate modules by the command &quto;modprobe Modulname" added to the last line.
.
Following our example-hardware from datasheed, the control-modules it87 und i2c-dev can be disabled and the service envoking them named lm_sensors deactivated.
/etc/X11/xorg.conf, mouseclick-fast for IGP INTEL-GMA-945, the PS2-mouse (optical or trackball), keyboard on USB-port:
/etc/X11/xorg.conf
Section "ServerFlags"
Option "DontZap" "True" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
AllowMouseOpenFail # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "True"
EndSection
Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection
Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection
Section "Monitor"
Identifier "monitor1"
HorizSync 45-55
VertRefresh 55-65
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 +hsync +vsync
# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 +HSync +Vsync
# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 +HSync +Vsync
EndSection
Section "Device"
Identifier "device1"
VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"
#Option "AccelMethod" "exa"
#Option "AccelMethod" "uxa"
#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"
#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str>
Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
Option "AddARGBGLXVisuals" "true"
Option "DisableGLXRootClipping" "true"
EndSection
EndSection
Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24
Subsection "Display"
Depth 24
Modes "1366x768" "1360x765" "1280x720" "1024x768"
EndSubsection
EndSection
Section "ServerLayout"
Identifier "layout1"
Screen "screen1&# File generated by XFdrake (rev )
# **********************************************************************
# Refer to the xorg.conf man page for details about the format of
# this file.
# **********************************************************************
Section "ServerFlags"
Option "DontZap" "true" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
Option "AllowMouseOpenFail" "true" # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "true"
Option "DPMS" "true"
EndSection
Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection
Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"
EndSection
Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection
Section "Monitor"
Identifier "monitor1"
HorizSync 47.7
VertRefresh 59.8
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 -hsync +vsync
# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync
# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync
EndSection
Section "Device"
Identifier "device1"
VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"
#Option "AccelMethod" "exa"
#Option "AccelMethod" "uxa"
#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"
#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str>
Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
EndSection
Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24
Subsection "Display"
Depth 24
Modes "1366×768" "1360×765" "1280×720" "1024×768"
EndSubsection
EndSection
Section "ServerLayout"
Identifier "layout1"
Screen "screen1"
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
Option "AIGLX" "true"
EndSection
# LOGITECH OPTICAL PS2-PORT-MOUSE
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"
#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"
#Option "Device" "/dev/psaux"
#Option "Device" "/dev/ttyS0"
Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"
#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"
#Option "Protocol" "auto"
Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection
Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"
EndSection
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
EndSection
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"
<BR>
#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"
#Option "Device" "/dev/psaux"
#Option "Device" "/dev/ttyS0"
Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"
#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"
#Option "Protocol" "auto"
Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection
Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"
EndSection
Do not plug to the Internet until ready
The system should not be immediately connected to the Internet during installation. This could sound stupid but network installation is a common method. Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.
Run the minimum number of services required
Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk. Unwanted servces might be: telnet, ftp, smbd and nmbd (Samba), portmap (NFS), automount (NFS, network file system), rexec, named (DNS), lpd (printer), inetd, ...
https://www.tecmint.com/remove-unwanted-services-from-linux/
Set a LILO or GRUB password
What matters for updates, should almost be not the version of the rpm but the new release of one and the same version (backport-concept).
umask (see man umask): recommended values:
/etc/fstab: option umask 077 at least for the root- and home-Partition
~/.bashrc: umask 077 # for all user
~/.bashrc-profile: umask 077 # for all user
/etc/profile: umask 022 # to keep most of all accessible for a user
Disable root prompt on the initramfs
Note: This applies to the default kernels provided for releases after Debian 3.1
Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for initramfs-tools generated initramfs. The following message will appear:
"ALERT! /dev/sda1 does not exist. Dropping to a shell!
In order to remove this behavior you need to set the following boot argument:panic=0. Add this to the variable GRUB_CMDLINE_LINUX in /etc/default/grub and issue update-grub or to the append section of /etc/lilo.conf.
Remove root prompt on the kernel
Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0.
Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules wheX11-Servern autodetection fails. This behavior is the default for initrd´s linuxrc. The following message will appear:
Press ENTER to obtain a shell (waits 5 seconds)
In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set:
# DELAY The number of seconds the linuxrc script should wait to
# allow the user to interrupt it before the system is brought up
DELAY=0
Then regenerate your ramdisk image. You can do this for example with:
# cd /boot
# mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7
or (preferred):
# dpkg-reconfigure -plow kernel-image-2.4.x-yz
Restricting console login access
Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with su or sudo). This policy is implemented in Debian by editing the /etc/pam.d/login and the /etc/securetty when using PAM (make a backup, before doing this!):
/etc/pam.d/login enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.
securetty by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX and vc/X (if using devfs devices), you might want to add also ttySX, if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab . For more information on terminal devices read the Text-Terminal-HOWTO.
When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in /etc/pam.d/login. An interesting feature, that can be disabled, is the possibility to login with null (blank) passwords. This feature can be limited by removing nullok from the line:
auth required pam_unix.so nullok
Our /etc/pam.d/login:
%PAM-1.0
auth required pam-securetty.so
auth required pam_tally2.so deny=3 even_deny_root unlock_time=2400
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
securetty
is the file, where to add or delete terminals for the login of root. If a local access by console should be allowed only, then add console, ttyX and vc/X ( if devfs-interface is used, where X is an integer ).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html
The primary entry types and their affects are as follows:
If /etc/securetty doesn´t exist, root is allowed to login from any tty
If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs, that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
if you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number
if you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number
listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty
adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it´s normally a good idea not to include these entries because it´s a security risk; it would allow, for instance, someone to login into root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management)
For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login. See the sulogin man page for more info. Also you can change the login program used in /etc/inittab for each runlevel.
https://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty
Restricting system reboots through the console
If your system has a keyboard attached to it anyone (yes anyone) with physical access to the system can reboot the system through it without login in just pressing the Ctrl+Alt+Delete keyboard combination, also known as the three finger salute. This might, or might not, adhere to your security policy.
This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might virtually send it and force a system reboot.
There are two ways to restrict this:
configure it so that only allowed users can reboot the system, disable this feature completely.
If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch.
The default in Debian includes this switch:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
The -a switch, as the shutdown(8) manpage describes,makes it possible to allow some users to shutdown the system. For this the file /etc/shutdown.allow must be created and the administrator has to include there the name of users which can boot the system. When the three finger salute combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.
If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the ctrlaltdel definition in the /etc/inittab.
Remember to run init q after making any changes to the /etc/inittab file for the changes to take effect.
Restricting the use of the Magic SysRq key
The Magic SysRq key is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously Alt+SysRq and a command key. The SysRq key in many keyboards is labeled as the Print Screen key.
Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the /proc/sys/kernel/sysrq exists and reviewing its value:
DOLLARSIGN cat /proc/sys/kernel/sysrq
438
The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1.
You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the /etc/sysctl.conf and add the following lines:
# Disables the magic SysRq key
kernel.sysrq = 0
User authentication: PAM
PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM services should work in Debian).
Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:
what backend is used for authentication.
what backend is used for sessions.
how do password checks behave.
The following description is far from complete, for more information you might want to read the Linux-PAM Guides as a reference. This documentation is available in the system if you install the libpam-doc at /usr/share/doc/libpam-doc/html/.
PAM offers you the possibility to go through several authentication steps at once, without the user´s knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.
More about PAM: https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html, chapter 4.11
User login actions: edit /etc/login.defs (make a backup, before doing this!)
The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it´s a configuration file honored by login and su programs, so it doesn´t make sense tuning it for cases where neither of the two programs are at least indirectly called (the getty program which sits on the consoles and offers the initial login prompt does invoke login).
FAILLOG_ENAB yes
If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.
LOG_UNKFAIL_ENAB no
If you set this variable to ´yes´ it will record unknown usernames if the login failed. It is best if you use ´no´ (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to ´yes´, make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm).
SYSLOG_SU_ENAB yes
This one enables logging of su attempts to syslog. Quite important on serious machines but note that this can create privacy issues as well.
SYSLOG_SG_ENAB yes
The same as SYSLOG_SU_ENAB but applies to the sg program.
ENCRYPT_METHOD SHA512
As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in /etc/pam.d/common-password.
User login actions: edit /etc/pam.d/login (make a backup, before doing this!)
You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:
auth optional pam_faildelay.so delay=3000000
Increasing the delay value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set delay=10000000, users will have to wait 10 seconds if they type a wrong password.
In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:
# auth required pam_issue.so issue=/etc/issue
If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the /etc/issue [24] file and uncomment the line enabling the pam_issue.so module in /etc/pam.d/login. In this file you can also enable additional features which might be relevant to apply local security policies such as:
setting rules for which users can access at which times, by enabling the pam_time.so module and configuring /etc/security/time.conf accordingly (disabled by default),
setup login sessions to use user limits as defined in /etc/security/limits.conf (enabled by default),
present the user with the information of previous login information (enabled by default),
print a message (/etc/motd and /run/motd.dynamic) to users after login in (enabled by default),
Restricting ftp: editing /etc/ftpusers (make a backup, before doing this!)
The /etc/ftpusers file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services.
A convenient way to add all system accounts to the /etc/ftpusers is to run
DOLLARSIGN awk -F : ´{if (DOLLARSIGN3<1000) print DOLLARSIGN1}´ /etc/passwd > /etc/ftpusers
Disallow remote administrative access
You should also modify /etc/security/access.conf to disallow remote logins to administrative accounts. This way users need to invoke su (or sudo) to use any administrative powers and the appropriate audit trace will always be generated.
You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out (making your system mouseclick-fast; do not forget to make a backup of this file, before doing this!).
As already described commented in in /etc/security/access.conf, for root and system user and user:
:
# User "root" should be denied to get access from all other sources.
- : root : ALL
- : user : ALL
- : surfuser : 127.0.0.0/24
- : toruser : 127.0.0.0/24
- : uuidd : ALL
- . messagebus: ALL
- : wheel:ALL EXCEPT LOCAL
- : ftp : ALL
- : mail : ALL
- : pop3ad : ALL
- : bin : ALL
- : daemon : ALL
- : adm : ALL
- : sync : ALL
- : halt : ALL
- : news : ALL
# All other users should be denied to get access from all sources.
: ALL : ALL
Look out for other important options in this file too. Remember to enable the pam_access module for every service (or default configuration) in /etc/pam.d/ if you want your changes to /etc/security/access.conf honored.
Configuring syncookies
This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs).
net/ipv4/tcp_syncookies = 1
If you want to change this option each time the kernel is working you need to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # e.g. within /etc/rc.local
This option will only be available if the kernel is compiled with the CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option builtin but you can verify it running:
DOLLARSIGN sysctl -A |grep syncookies
net/ipv4/tcp_syncookies = 1
For more information on TCP syncookies read http://cr.yp.to/syncookies.html.
Disabling weak-end hosts issues
Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given hardware address (interface card).
This is not an ARP issue and it´s not an RFC violation (it´s called weak end host in RFC1122, section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces.
On 2.2 (and previous) kernels this can be fixed with:
# echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden
.....
On later kernels this can be fixed either with:
iptables rules.
properly configured routing.
kernel patching.
Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
Using tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they´re still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5).
Many services installed in Debian are either:
launched through the tcpwrapper service (tcpd)
compiled with libwrapper support built-in.
On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.
To see which packages use tcpwrappers [31] try:
DOLLARSIGN apt-cache rdepends libwrap0
Take this into account when running tcpdchk (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf (the manpage is not totally accurate here).
Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers:
ALL: ALL: SPAWN (
echo -e "n
TCP Wrappers: Connection refusedn
By: DOLLARSIGN(uname -n)n
Process: %d (pid %p)n
User: %un
Host: %cn
Date: DOLLARSIGN(date)n
" | /usr/bin/mail -s "Connection to %d blocked" root) &
Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
Protecting against ARP attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn´t present in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:
Use a static ARP cache. You can set up "static" entries in your ARP cache with:
arp -s host_name hdwr_addr
By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored.
Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html
Securing FTP
If you really have to use FTP (without wrapping it with sslwrap or inside a SSL or SSH tunnel), you should chroot ftp into the ftp users´ home directory, so that the user is unable to see anything else than their own directory. Otherwise they could traverse your root file system just like if they had a shell in it. You can add the following line in your proftpd.conf in your global section to enable this chroot feature:
DefaultRoot ~
Restart ProFTPd by /etc/init.d/proftpd restart and check whether you can escape from your homedir now.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter *.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: putty and cygwin for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: ProFTPD Patches. This patch has been reported to Debian too, see Bug #145669.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html
Boot-break kernel or haldaemon (hal, hald)?
The kernel (in our case 4.20.13) or haldaemon resp. hal from Mandriva-derivates as much as CentOS 6 is an enormous system-boot- and -shutdown-break "making more or less a pause" of around 30 up to 45 seconds during the system boot resp. -shutdown.
Configuration of hal:
/etc/hal.conf
<!-- This configuration file controls the Hardware Abstraction Layer
daemon - it is meant that OS vendors customize this file to reflect
their desired policy.
-->
<haldconfig>
<!-- If true, then the device list is saved to disk such that
properties are kept between invocations of hald.
-->
<persistent_device_list>false</persistent_device_list>
<!-- Default value for storage.media_check_enabled for devices of
capability storage - this can be overridden by .fdi files.
Setting this to false results a whitelist policy, e.g. media
check is only enabled for storage devices with a .fdi file
saying so.
Conversely, setting it to true results in a blacklist policy
where media check is enabled by default but may be overridden
by a .fdi for devices causing trouble.
-->
<storage_media_check_enabled>true</storage_media_check_enabled>
<!-- Default value for storage.automount_enabled_hint for devices of
capability storage - this can be overridden by .fdi files.
Setting this to false results a whitelist policy, e.g. policy
agents should only automount storage devices with a .fdi file
saying so.
Conversely, setting it to true results in a blacklist policy
where policy agents should always automount unless this is
explicitly overridden by .fdi for devices causing trouble.
-->
<storage_automount_enabled_hint>true</storage_automount_enabled_hint>
https://www.thegeekdiary.com/linux-os-service-haldaemon/
Deprecated
As of 2011, Linux distributions such as Ubuntu,[5] Debian,[6] and Fedora and on FreeBSD,[7] and projects such as KDE,[8] GNOME and X.org are in the process of deprecating HAL as it has "become a large monolithic unmaintainable mess".[5] The process is largely complete, but some use of HAL remains – Debian squeeze (Feb 2011) and Ubuntu version 10.04 remove HAL from the basic system and boot process.[9] In Linux, it is in the process of being merged into udev (main udev, libudev, and udev-extras) and existing udev and kernel functionality. The replacement for non-Linux systems such as FreeBSD is devd.
Initially a new daemon DeviceKit was planned to replace certain aspects of HAL, but in March 2009, DeviceKit was deprecated in favor of adding the same code to udev as a package: udev-extras, and some functions have now moved to udev proper.
https://en.wikipedia.org/wiki/HAL_(software)
Disabling useless daemons in RHEL/Centos/Oracle 6 servers
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary: # chkconfig haldaemon off.
The hald – Hardware Access Layer Daemon – runs several processes in order to keep track of what hardware is installed on your system. This includes polling USB Drives and ´hot-swap´ devices to check for changes along with a host of other tasks.
You might see it running on your system as follows:
2474 ? S 0:00 \_ hald-runner
2481 ? S 0:00 \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
2487 ? S 0:00 \_ hald-addon-keyboard: listening on /dev/input/event0
2495 ? S 41:47 \_ hald-addon-storage: polling /dev/hdc
If your system is static and the devices do not change, you can actually disable this service using a policy entry.
Create a file in your policy directory, for example /etc/hal/fdi/policy/99-custom.fdi. Add the text:
hald-addon-storage
Save and reload the hald using /etc/init.d/haldaemon restart.
And you will find that service no longer is polling your hardware.
Of course to turn it back on, remove that policy entry and restart the haldaemon again, it will be back in service.
Solution Credit: Linuxforums User cn77
www.softpanorama.org/Commercial_linuxes/RHEL/Daemons/removing_daemons_in_rhel6.shtml
udev-Regel für PS/2-mouse (optical mouse from Logitech®)
... results from &quto;udevadm info -a -p /devices/platform/i8042/serio1/input/input12"
/etc/udev/rules.d/10-ps2mouse.rules
KERNEL=="input12" SUBSYSTEM=="input" DRIVER=="" ATTR{uniq}=="" ATTR{properties}=="1" ATTR{phys}=="isa0060/serio1/input0" ATTR{name}=="ImExPS/2 Logitech Wheel Mouse" ATTR{modalias}=="input:b0011v0002p0006e0063-e0,1,2,k110,111,112,113,114,r0,1,6,8,amlsfw"
KERNELS=="serio1" SUBSYSTEMS=="serio" DRIVERS=="psmouse" ATTRS{resetafter}=="5" ATTRS{resolution}=="200" ATTRS{description}=="i8042 AUX port" ATTRS{firmware_id}=="PNP: PNP0f03 PNP0f13" ATTRS{protocol}=="ImExPS/2" ATTRS{rate}=="100" ATTRS{bind_mode}=="auto" ATTRS{resync_time}=="0" ATTRS{modalias}=="serio:ty01pr00id00ex00"
Secure up RPC-services
Deactivate RPC abschalten (or deinstall it), if not needed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html
haveged
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.
tcp_wrapper for server
With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.
It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise yourself lucky if you don´t know what that means.
The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.
Optional features are: access control to restrict what systems can connect to what network daemons; client user name lookups with the RFC 931 etc. protocol; additional protection against hosts that pretend to have someone elses host name; additional protection against hosts that pretend to have someone elses host address.
Securing Squid
Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid´s default configuration file denies all users requests. However the Debian package allows access from ´localhost´, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the Squid User´s Guide for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed. The recommended minimum configuration (provided with the package) is shown below:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
X11-Server
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
(...)
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all
You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).
Notice that, if not properly configured, someone may relay a mail message through Squid, since the HTTP and SMTP protocols are designed similarly. Squid´s default configuration file denies access to port 25. If you wish to allow connections to port 25 just add it to Safe_ports lists. However, this is NOT recommended.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid´s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):
calamaris - Log analyzer for Squid or Oops proxy log files.
modlogan - A modular logfile analyzer.
sarg - Squid Analysis Report Generator.
squidtaild - Squid log monitoring program.
When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don´t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the Squid User´s Guide - Accelerator Mode
Securing printing access (the lpd and lprng issue)
Imagine, you arrive at work, and the printer is spitting out endless amounts of paper because someone is DoSing your line printer daemon. Nasty, isn´t it?
In any UNIX printing architecture, there has to be a way to get the client´s data to the host´s print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).
In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd.
However, even if you do this, the lpr daemon accepts incoming connections on port 515 of any interface. You should consider firewalling connections from networks/hosts which are not allowed printing (the lpr daemon cannot be limited to listen only on a given IP address).
Lprng should be preferred over lpr since it can be configured to do IP access control. And you can specify which interface to bind to (although somewhat weirdly).
If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or PDQ which is based on user permissions of the /dev/lp0 device.
In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn´t need any special privileges, but does require that the server is listening on a port somewhere.
However, if you want to use cups, but only locally, you can configure it to bind to the loopback interface by changing /etc/cups/cupsd.conf:
Listen 127.0.0.1:631 # This might not work! To go sure: Port 631 and Listen /var/run/cups/cups.sock
There are many other security options like allowing or denying networks and hosts in this config file. However, if you do not need them you might be better off just limiting the listening port. Cups also serves documentation through the HTTP port, if you do not want to disclose potential useful information to outside attackers (and the port is open) add also:
>Location /<
Order Deny,Allow
Deny From All
Allow From 127.0.0.1 # or try "Allow @LOCAL"
</Location>
This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at cups.org.
FIXME: Add more content (the article on Amateur Fortress Building provides some very interesting views).
FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.
FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it´s available in Debian.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html
Securing SSH, mail-service, BIND, Apache, Finger and deactivate NIS
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html
Administrate the services with systemd since year 2013 or by chkconfig
/etc/rc.local for each boot still is not registrated, so it still might not be executed, maybe the same for ip6tables and iptables. For this purpose create rc.local in /etc/init.d (by overwriting it with /etc/init.d/linfw3 for example) to change the include of previous daemon linfw3, now rc.local in /etc/init.d up to the following: start() "sh /etc/init.d/rc.local", unneeded variables removed and without stop() and restart(). Set a new chkconfig-number in the commented in line at the beginning.
To be careful, registrate the service: "chkconfig --add rc.local".
Generally, using this command, all services get visible in MCC -> service administration.
Set the hooks to activate the needed ones only or set the runlevel 0 up to 6 for each new service manually, almost like 0-OFF 1-OFF 2-OFF 3-ON 4-ON 5-ON 6-OFF.
Notice, that all runlevel-init-scripts out of /etc/init.d/ and /etc/rcX.d can also get started (start), restarted (restart) and stopped (stop) for MDV and el6 and many other distributions manually by a command like:
"sh /etc/init.d/linfw3 start".
Start of the database server mysqld (el6.remi): like rc.local above, but the bind-address has to be commented in /etc/my.cnf.
Reverse-Proxy daemon (init-script) nginx (el6): like rc.local above too, but before you do this, copy "cp -axf /usr/lib/perl5/strict.pm /usr/local/share/perl5&quto; and "cp -axf /usr/lib/perl5/warnings* /usr/local/share/perl5/".
Apache webserver daemon httpd (el6): like rc.local above, but modules have to be configured well, eventually remove them.
Print server daemon: cups (pclos)
LAN-server resp. - clients: samba-... (el6); samba is not required for single pc-workstations connected with a DSL-router
...
But before these init-scripts get started, configure the server in their own configuration-files in /etc !
...
Detailed includes of /etc/rc.local and one more script in /usr/sbin for ACL-access-rights are listed further below. Both will be started as runlevel-init-scripts (daemons) each boot out of /etc/init.d .
Important access-rights each system-boot, meaning of UNIX/Linux-groups
Files and directories with unrestricted access-rights can be found out, even without root-rights:
The command
find / -path /proc -prune -o -type f -perm 666
finds all files within the complete file-system except within "/proc", that can be read and overwritten (write). The next one,
find / -path /proc -prune -o -type f -perm 777
lists all such files, that are executable too.
find / -path /proc -prune -o -type d -perm 777
finds directores, that are ready for read and write.
Instead of giving directorese and files the full access rights (chmod 777), it is the better to use groups for the common used files by the command
chgrp [-R] [group] [file/Directory]
https://www.pcwelt.de/ratgeber/Sechs-wichtige-Sicherheitstipps-Linux-Server-9940087.html#6
777 ->, 770, 775 -> 770, 755 ->, 750, 641 ->, 640 usw.
For this, at least following user should belong to the group of root: standard group root, uuid, lp, lpadmin, tty, user and toruser.
Be a little bit careful with this! We almost resign from this assignment of users to the group of root in main in future, but whoever wants can try to restrict even more the access rights this way...
chgrp changes the group of directories and files. For the full access by different user and groups only the access-right 770 for directories and 660 for files have to be set only..
Important access-rights set each system boot
/etc/rc.local
chown root:root / # Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chown root:root /* # -> /etc/permissions.secure
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chmod 400 /etc/shadow*
chmod 400 path_to_encrypted_key_file_for_LUKS_encrypted_partitions
...
In order to gain a first, short overview for more access-rights within /etc/rc.local set each boot ( for a second we are going to list them more in detail soon ). They do not make the system working only secure, they also do let work it mouseclick-fast :
chmod 111 /# Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chmod 755 /usr # 755 needed for caffeine only, else 751
chmod 751 /bin
chmod 751 /var # resp. 750, if user belongs to the group of root
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /usr/lib64
# chmod 751 -R /usr/lib64/python2.6
# chmod 751 -R /usr/lib/python2.6 # shall have got the same include as /usr/lib64/python2.6
chmod 751 /usr/lib64/kde4
chmod 751 /etc # resp. chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/* # resp.chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/bashrc
chmod 755 -R /etc/font*
chmod 755 /etc/group
chmod 755 /etc/nsswitch.conf
chmod 755 /etc/ld.so.preload
chmod 755 -R /etc/pango*
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chown root:shadow /etc/shadow*
chmod 400 /etc/shadow*
chown root:root /etc/passwd*
chmod 644 /etc/passwd*
chown root:root /etc/fstab*
chmod 400 /etc/fstab*
chown root:root /etc/crypttab*
chmod 700 /etc/crypttab*
chown root:root /etc/mtab*
chmod 700 /etc/mtab*
chown root:root /etc/hosts
chmod 644 /etc/hosts
chown root:root /etc/mtab*
chmod 644 /etc/mtab* # chmod 700: kdf arbeitet nicht
chown root:root /etc/login.defs
chmod 755 /etc/login.defs
chmod 755 -R /etc/firejail
chmod 755 -R /etc/xdg*
chmod 755 -R /etc/resolv.conf
chown root:root -R /etc/modprobe*
chmod 700 -R /etc/modprobe*
chmod 751 /opt # resp. 750, if user belongs to the group of root
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chown root:root /usr/bin
chown root:root /usr/sbin
chown root:root /usr/lib64
chown root:root /usr/lib
chown root:root /usr/libexec
chown root:root /usr/share
chown root:root /root
chmod 700 /usr/bin/xterm # terminals (except your favorite one)
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/byobu*
chmod 700 /usr/bin/terminator*
chmod 700 /usr/bin/quadkonsole*
chmod 700 /usr/bin/lxterminal*
chmod 700 /usr/bin/yakuake*
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/multi-aterm
chmod 700 /usr/bin/tcsh*
chmod 700 /usr/bin/rxvt*
chown root:firejail /usr/bin/firejail
chmod 04750 /usr/bin/firejail # For this, surfuser must be a member of the primary group named firejail of firejail !
chmod 644 /etc/passwd
chmod 644 /etc/security/msec/*.secure
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 /home/uuidd
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
#
# from permissions (OpenSuSE, chkstat), level: secure with some changes
/ root:root 111
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 751
/sbin/ root:root 751
/lib/ root:root 751
/etc/ root:root 751
/home/ root:root 711
/boot/ root:root 755
/opt/ root:root 751
/usr/ root:root 755
/usr/local root:root 755
#
# /var:
#
/var/tmp/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/man/ man:root 755
/var/run/nscd/socket root:root 666
/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
/run/sudo/ root:root 700
#
# login tracking
#
/var/log/lastlog root:root 644
/var/log/faillog root:root 600
/var/log/wtmp root:utmp 664
/var/log/btmp root:utmp 600
/var/run/utmp root:utmp 664
/run/utmp root:utmp 664
#
# some device files
#
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 400
/etc/init.d/ root:root 755
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644
/etc/opiekeys root:root 600
/etc/ppp/ root:root 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700
# utempter
/usr/lib/utempter/utempter root:utmp 2755
# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644
/etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
#
# legacy
#
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# games:games 775 safe as long as we don´t change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750
#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666
#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666
# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu root:root 0755
# we no longer make rpm build dirs 1777
/usr/src/packages/SOURCES/ root:root 0755
/usr/src/packages/BUILD/ root:root 0755
/usr/src/packages/BUILDROOT/ root:root 0755
/usr/src/packages/RPMS/ root:root 0755
/usr/src/packages/RPMS/alphaev56/ root:root 0755
/usr/src/packages/RPMS/alphaev67/ root:root 0755
/usr/src/packages/RPMS/alphaev6/ root:root 0755
/usr/src/packages/RPMS/alpha/ root:root 0755
/usr/src/packages/RPMS/amd64/ root:root 0755
/usr/src/packages/RPMS/arm4l/ root:root 0755
/usr/src/packages/RPMS/armv4l/ root:root 0755
/usr/src/packages/RPMS/armv5tejl/ root:root 0755
/usr/src/packages/RPMS/armv5tejvl/ root:root 0755
/usr/src/packages/RPMS/armv5tel/ root:root 0755
/usr/src/packages/RPMS/armv5tevl/ root:root 0755
/usr/src/packages/RPMS/armv6l/ root:root 0755
/usr/src/packages/RPMS/armv6vl/ root:root 0755
/usr/src/packages/RPMS/armv7l/ root:root 0755
/usr/src/packages/RPMS/athlon/ root:root 0755
/usr/src/packages/RPMS/geode/ root:root 0755
/usr/src/packages/RPMS/hppa2.0/ root:root 0755
/usr/src/packages/RPMS/hppa/ root:root 0755
/usr/src/packages/RPMS/i386/ root:root 0755
/usr/src/packages/RPMS/i486/ root:root 0755
/usr/src/packages/RPMS/i586/ root:root 0755
/usr/src/packages/RPMS/i686/ root:root 0755
/usr/src/packages/RPMS/ia32e/ root:root 0755
/usr/src/packages/RPMS/ia64/ root:root 0755
/usr/src/packages/RPMS/mips/ root:root 0755
/usr/src/packages/RPMS/noarch/ root:root 0755
/usr/src/packages/RPMS/pentium3/ root:root 0755
/usr/src/packages/RPMS/pentium4/ root:root 0755
/usr/src/packages/RPMS/powerpc64/ root:root 0755
/usr/src/packages/RPMS/powerpc/ root:root 0755
/usr/src/packages/RPMS/ppc64/ root:root 0755
/usr/src/packages/RPMS/ppc/ root:root 0755
/usr/src/packages/RPMS/s390/ root:root 0755
/usr/src/packages/RPMS/s390x/ root:root 0755
/usr/src/packages/RPMS/sparc64/ root:root 0755
/usr/src/packages/RPMS/sparc/ root:root 0755
/usr/src/packages/RPMS/sparcv9/ root:root 0755
/usr/src/packages/RPMS/x86_64/ root:root 0755
/usr/src/packages/SPECS/ root:root 0755
/usr/src/packages/SRPMS/ root:root 0755
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 400
/etc/ftpusers root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
/etc/ssh/sshd_config root:root 600
# we might want to tighten that up in the future in this profile (remove the
# ability for others to read/enter)
/etc/cron.d root:root 755
/etc/cron.daily root:root 755
/etc/cron.hourly root:root 755
/etc/cron.monthly root:root 755
/etc/cron.weekly root:root 755
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 2755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
#
/usr/bin/opiepasswd root:root 4755
#
/sbin/mount.nfs root:root 0755
#
#
/usr/bin/fusermount root:trusted 4750
# needs setuid root when using shadow via NIS:
#
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755
# squid changes
/var/cache/squid/ squid:root 0750
/var/log/squid/ squid:root 0750
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750
# still to be converted to utempter
/usr/lib/gnome-pty-helper root:utmp 2755
#
# mixed section: most of it is disabled in this permissions.secure:
#
# video
/usr/bin/v4l-conf root:video 4750
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
#
# networking (need root for the privileged socket)
#
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
/usr/bin/ping6 root:root 0755
+capabilities cap_net_raw=ep
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# exim
/usr/sbin/exim root:root 4755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
#
# terminal emulators
# This and future SUSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755
#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# needs setuid root when using shadow via NIS:
# #66218
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
#
# amanda
#
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
#
# news (inn)
#
# the inn start script changes it´s uid to news:news. Later innbind
# is called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required
# for operation. (#67032, #594393)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/inews news:news 2555
/usr/lib/news/bin/innbind root:news 4550
#
# sendfax
#
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4755
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755
#
# uucp
#
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
# pcp (bnc#782967)
/var/lib/pcp/tmp/ root:root 0755
/var/lib/pcp/tmp/pmdabash/ root:root 0755
/var/lib/pcp/tmp/mmv/ root:root 0755
/var/lib/pcp/tmp/pmlogger/ root:root 0755
/var/lib/pcp/tmp/pmie/ root:root 0755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# dbus-1 in /usr #1056764)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
# bsc#1120650
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# (bnc#533550)
/usr/lib/virtualbox/VBoxNetAdpCtl root:vboxusers 0755
# bnc#669055
/usr/lib/virtualbox/VBoxNetDHCP root:vboxusers 0755
# bsc#1033425
/usr/lib/virtualbox/VBoxNetNAT root:vboxusers 0755
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755
# lockdev (bnc#588325)
/usr/sbin/lockdev root:lock 2755
# hawk (bnc#665045)
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750
# chromium (bnc#718016)
/usr/lib/chrome_sandbox root:root 4755
# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755
# wireshark (bsc#957624)
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep
# singularity (bsc#1028304)
# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
#/usr/lib/singularity/bin/expand-suid root:singularity 4750
#/usr/lib/singularity/bin/create-suid root:singularity 4750
#/usr/lib/singularity/bin/export-suid root:singularity 4750
#/usr/lib/singularity/bin/import-suid root:singularity 4750
/usr/lib/singularity/bin/action-suid root:singularity 4750
/usr/lib/singularity/bin/mount-suid root:singularity 4750
/usr/lib/singularity/bin/start-suid root:singularity 4750
/usr/bin/su root:root 4755
/usr/bin/mount root:root 4755
/usr/bin/umount root:root 4755
# cdrecord of cdrtools from Joerg Schilling (bnc#550021)
# in secure mode, no provisions are made for reliable cd burning, as admins
# will have very likely prohibited that anyway.
/usr/bin/cdrecord root:root 755
/usr/bin/readcd root:root 755
/usr/bin/cdda2wav root:root 755
# qemu-bridge-helper (bnc#765948, bsc#988279)
/usr/lib/qemu-bridge-helper root:kvm 04750
# systemd-journal (bnc#888151)
/var/log/journal/ root:systemd-journal 2755
#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap 0750
# radosgw (bsc#943471)
/usr/bin/radosgw root:www 0750
+capabilities cap_net_bind_service=ep
# gstreamer ptp (bsc#960173)
/usr/lib/gstreamer-1.0/gst-ptp-helper root:root 0755
+capabilities cap_net_bind_service=ep
#
# suexec is only secure if the document root doesn´t contain files
# writeable by wwwrun. Make sure you have a safe server setup
# before setting the setuid bit! See also
# https://bugzilla.novell.com/show_bug.cgi?id=263789
# http://httpd.apache.org/docs/trunk/suexec.html
# You need to override this in permissions.local.
# suexec2 is a symlink for now, leave as-is
#
/usr/sbin/suexec root:root 0755
# newgidmap / newuidmap (bsc#979282, bsc#1048645)
/usr/bin/newgidmap root:shadow 4755
/usr/bin/newuidmap root:shadow 4755
# kwayland (bsc#1062182)
/usr/bin/kwin_wayland root:root 0755
+capabilities cap_sys_nice=ep
# gvfs (bsc#1065864)
/usr/lib/gvfs/gvfsd-nfs root:root 0755
# icinga2 (bsc#1069410)
/run/icinga2/cmd icinga:icingagmd 2750
# fping (bsc#1047921)
/usr/sbin/fping root:root 0755
+capabilities cap_net_raw=ep
# usbauth (bsc#1066877)
/usr/bin/usbauth-npriv root:usbauth 04750
/usr/lib/usbauth-notifier root:usbauth-notifier 0750
/usr/lib/usbauth-notifier/usbauth-notifier root:usbauth 02755
# spice-gtk (bsc#1101420)
/usr/bin/spice-client-glib-usb-acl-helper root:kvm 04750
# smc-tools (bsc#1102956)
/usr/lib/libsmc-preload.so root:root 04755
/usr/lib64/libsmc-preload.so root:root 04755
# lxc (bsc#988348)
/usr/lib/lxc/lxc-user-nic root:kvm 04750
# firejail (bsc#1059013)
/usr/bin/firejail root:firejail 04750 # For this, surfuser must be member of the primary group named firejail of firejail !
# authbind (bsc#1111251)
/usr/lib/authbind/helper root:root 04755
# fuse3 (bsc#1111230)
/usr/bin/fusermount3 root:trusted 04750
# 389-ds (bsc#1111564)
/usr/sbin/ns-slapd root:dirsrv 0750
/ root:root 111
/home root:root 711
/home/user user:user 700
/home/surfuser surfuser:surfuser 700
/home/toranonym toruser:torgroup 700
/usr/src root:root 700
/usr/lib64 root:root 751
/usr/lib64/kde4 root:root 751
/usr root:root 755
/bin root:root 751
/sbin root:root 751
/lib64 root:root 751
/lib root:root 751
/root root:root 700
/initrd root:root 751
/misc root:root 751
/boot-save root:root 000
/usr/games root:root 751
/net root:root 751
/secoff root:root 710
/sid-root root:root 700
/srv root:root 751
/sys root:root 751
/var root:root 751
/mnt root:root 755
/media root:root 711
/initrd root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/local/Brother root:root 755
/GenuineIntel.bin root:root 710
/Module.symvers root:root 751
/usr/lib/cups root:sys 755
/usr/share/cups root:sys 755
/etc/cups root:sys 755
/smack root:root 700
/usr/share root:root 755
/usr/share/* root:root 755
/usr/libexec root:root 751
/usr/libexec/* root:root 755
/usr/lib64/kde4 root:root 751
/home/user/Dokumente user:user 700
/home/user/Dokumente/* user:user 700
/home/user/.kde4 user:user 700
/home/user/.kde4/* user:user 700
/home/user/.kde4/share/apps/kmail/mail user:user 700
/home/user/.kde4/share/apps/kmail/mail/*/*/* user:user 700
/home/surfuser/.mozilla surfuser:surfuser 100
/var/cache root:root 755
/var/cache/cups root:sys 775
/var/cache/cups/ppds.dat lp:sys 755
/var/cache/cups/job.cache root:sys 755
/var/cache/cups/help.index lp:sys 755
/var/cache/pdnsd pdnsd:pdnsd 755
/var/cache/pdnsd/pdnsd.cache pdnsd:pdnsd 755
/var/cache/coolkey root:root 755
/var/cache/urpmi root:root 755
/var/cache/apparmor root:root 755
/home/uuidd uuidd:uuidd 700
/usr/libexec root:root 755
/usr/lib/cups/filter root:sys 755 # Gruppe sys, abhängig von /etc/cups/cupsd.conf
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/ root:sys 755
/usr/share/cups/* root:sys 755
/usr/share/cups/model/ root:sys 755
/var/spool root:root 755
/var/spool/MailScanner root:root 755
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/* root:sys 755
/etc/cups root:sys 755
/etc/cups/* root:sys 755
/var/cache/cups root:sys 775
/var/cache/cups/rss root:sys 775
/lib64/ld*.so root:root 755
/lib64/libc-*.so root:root 755
/usr/lib64/kde4 root:root 751
/usr/lib64/kde4/* root:root 755
/usr/share root:root 755
/usr/games root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/share/* root:root 755
Start permissions for example in /etc/rc.local: chkstat --set --no-fscaps /etc/permissions # rpm "permissions" from OpenSuSE (even possible for CentOS 6)
chkstat --set --no-fscaps /etc/permissions.secure # configuration from right above
chkstat --set --no-fscaps /etc/permissions.local # ... but configure it at first!
CAPABILITIES
capsh, getcap, setcap, ...
linux - Using capsh to drop all capabilities - Stack Overflow
root: All caps are assigned to root by default !
pub enum Capability { CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP Drops the capability for the current process via a call to cap_drop_bound.0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37...
Capabilities:
capsh --print Current: = Bounding set = Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=10101(u0_a101) gid=10101...
/etc/permissions.secure :
...
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
...
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
...
stackoverflow.com/questions/28811823/using-capsh-to-drop-all-capabilities
/etc/rc.local (complete, vollständig)
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don´t
# want to do the full Sys V style init stuff.
### END INIT INFO
sysctl -p /etc/sysctl.conf
auditctl -e0
echo 1 > /sys/devices/system/cpu/microcode/reload
# microcode_ctl -Qu
sh /usr/libexec/microcode_ctl/reload_microcode
hdparm -W1a0A0 /dev/sda # mausklick-schnelle SSD am S-ATA-Port, beachte die Anschlussnummer (1: sda, 2: sdb, ...)
echo deadline > /sys/block/sdb/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "" > /etc/securetty
# https://en.wikipedia.org/wiki/TCP_congestion-avoidance_algorithm
# cat /proc/sys/net/ipv4/tcp_congestion_control
# modprobe tcp_htcp
modprobe sch_fq_codel
modprobe tcp_cubic
# modprobe tcp_bbr
# echo sch_fq_codel > /proc/sys/net/core/default_qdisc
echo cubic > /proc/sys/net/ipv4/tcp_congestion_control
macchanger --mac=ac:22:ca:00:00:c1 eth0
echo sch_fq_codel > /proc/sys/net/core/default_qdisc
xhost -
xhost +si:localuser:user
xhost -inet6:user@
xhost -nis:user@
xhost - 192.168.178.1
xhost - 192.168.178.40
# echo 1 > /proc/sys/net/ipv4/conf/all/hidden # or net.ipv4.conf.all.hidden=1 within /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/shared_media
# echo 1 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/shared_media
touch /var/lock/subsys/local
modprobe usblp
modprobe usb_storage
ifconfig eth0 -multicast
ifconfig lo -multicast
ifconfig lo -broadcast
ip link set eth0 multicast off
ip link set lo multicast off
sh /etc/init.d/ip6tables restart # wenn iptables-ipv6 (el6) neben iptables (el6) installiert worden ist; Der gesamte Traffic innerhalb des neuen Adressraums IPv6 wird auf INPUT, OUTPUT und FORWARD mit Linfw3 geblockt, siehe Regeln innerhalb /etc/sysconfig/ip6tables. Anstelle dieses totalen Blocks können alle IPv4-Regeln von Linfw3 in /usr/local/LINFW3.sh nach /etc/sysconfig/ip6tables übernommen werden, indem ipt="iptables" mit ipt="ip6tables" ausgestauscht wird. Überprüfe außerdem, ob /sbin/ip6tables* richtig mit /sbin/ip6tables-multi verlinkt ist.
mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2
#sh /etc/init.d/syslog start
sh /etc/init.d/rsyslog start
cp -fp /etc/hosts.savenew /etc/hosts
cp -fp /etc/pdnsd-savenew.conf /etc/pdnsd.conf
# cp -fp /boot-save/ifcfg-eth0* /etc/sysconfig/network-scripts/
cp -fp /boot-save/70-persistent-net.rules /etc/udev/rules.d/
export RESOLV_HOST_CONF="/etc/hosts"
# sh /etc/init.d/incrond start
# sh /etc/init.d/noflushd start
# gpg-agent --daemon --use-standard-socket
# atieventsd
# dhclient -4 -cf /etc/dhcp/dhclient.conf eth0 &
# NetworkManager --log-level=ERR
# preload
# ifup eth0
# acpid&
# dnssec-triggerd
# unbound -dv -c /etc/unbound/unbound.conf
# tcpd &
# sh /etc/init.d/xfs start
# sh /etc/init.d/psad start
# paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 192.168.178.1 -l --tcp-port 443 /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 208.67.222.222 --tcp-port 443 -l /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 213.73.91.35 --tcp-port 443 -l /dev/null
# cp -fp /var/cache/pdnsd.cache /var/cache/pdnsd-savenew.cache
# speechd
# artsd&
# killall plymouthdxhost -
# sh /etc/init.d/lpd start
# redshift -l 60:10 -t 6500K:6200K&
sh /etc/init.d/modules-disabled start# kernel.modules_disabled=1, here after 45 seconds
chkstat --set --no-fscaps /etc/permissions # rpm permissions form OpenSuSE
chkstat --set --no-fscaps /etc/permissions.secure
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &
#apparmor_parser -af /etc/apparmor/profiles/sbin.dhclient &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin.man &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin/passwd &
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.sh &
# /usr/lib64/apparmorapplet&
unshare apparmor-dbus &
echo "ALLOW_REBOOT=yes" >> /etc/security/msec/security.conf
echo "BASE_LEVEL=secure" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_MSEC=yes" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_PERMS=enforce" > /etc/security/msec/security.conf
msec -f secure # msec: rpm from Mandriva Linux and Rosalabs
# chmod 666 /dev/usb/lp0 # besser: Sämtliche chown und chmod in /etc/permissions.secure in der vorgesehenen Form eintragen!
chown pdnsd:pdnsd -R /var/cache/pdnsd
chmod 755 /var/cache/pdnsd/pdnsd.cache
chown root:root /etc/hosts
chmod 400 /usr/local/key
chmod 644 /etc/hosts
chmod 111 /
chmod 751 /etc
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 400 /etc/shadow*
chmod 400 /etc/fstab*
chmod 700 /etc/crypttab*
chmod 700 /etc/mtab*
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 -R /home/surfuser/.mozilla
chown root:root /home/surfuser/.mozilla/firefox/profile.default/user.js
chmod 755 /home/surfuser/.mozilla/firefox/profile.default/user.js
chown root:root /home/surfuser/.mozilla/firefox/prefs.js
chmod 755 /home/surfuser/.mozilla/firefox/prefs.js
chmod 700 -R /home/surfuser/.moon*
chmod 700 -R /usr/src
chmod 751 /etc/X11
chmod 751 /usr/lib64
chmod 751 /usr/lib64/kde4
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
chmod 700 /home/uuidd
chmod 400 /usr/local/ke*
chmod 755 /usr
chmod 751 /bin
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /opt
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chmod 644 /etc/passwd
chmod 751 /usr/games
chmod 751 /net
chmod 710 /secoff
chmod 700 /sid-root
chmod 700 /smack
chmod 751 /srv
chmod 751 /sys
chmod 700 /typo3i*
chmod 751 /var
chmod 700 /lost*found
chmod 710 /intel-ucode*
chmod 751 /initrd
chmod 710 /GenuineIntel.bin
chmod 751 /etc/security/msec/*.secure
chmod 751 /Module.symvers
rm -df /home/surfuser/.Xauth*.*
rm -df /home/surfuser/.xauth*
rm -df /home/toruser/.xauth*
rm -df /home/toruser/.Xauth*.*
rm -df /home/user/.kde4/share/apps/kmail/mail/Spam/cur/*
rm -df /var/spool/cups/a*
rm -df /var/spool/cups/b*
rm -df /var/spool/cups/c*
rm -df /var/spool/cups/d*
rm -df /var/spool/cups/e*
rm -df /var/spool/cups/f*
rm -df /var/spool/cups/g*
rm -df /var/spool/cups/h*
rm -df /var/spool/cups/i*
rm -df /var/spool/cups/j*
rm -df /var/spool/cups/k*
rm -df /var/spool/cups/l*
rm -df /var/spool/cups/m*
rm -df /var/spool/cups/o*
rm -df /var/spool/cups/p*
rm -df /var/spool/cups/q*
rm -df /var/spool/cups/r*
rm -df /var/spool/cups/s*
rm -df /var/spool/cups/u*
rm -df /var/spool/cups/v*
rm -df /var/spool/cups/w*
rm -df /var/spool/cups/x*
rm -df /var/spool/cups/y*
rm -df /var/spool/cups/z*
echo ´V´ > /dev/watchdog
sh /etc/init.d/dosetfacls start# Script dosetfacls right up in the following
exit
Also create file (runlevel-init-script)
/etc/init.d/dosetfacls
Erzeuge noch
/etc/init.d/dosetfacls
#!/bin/sh
#
# This is file /etc/rc.d/init.d/linfw3 and was put here
# by the linfw3 rpm
#
# chkconfig: 2345 92 36
#
# description: secure iptables based firewall against all hacker and trojans \
# evtl. change chkconfig Number!
#
# ********************************************************************
#
# File : DOLLARSIGNSource: /cvsroot/ijbswa/current/linfw3.init,v $
#
# Purpose : This shell script takes care of starting and stopping
# linfw3.
#
# Copyright : Written by Gooken
# http://www.gooken.de
#
#
#
# ********************************************************************/
# Source function library.
. /etc/rc.d/init.d/functions
start () {
# start daemon
setfacl -m u:-1:- /* # There is an unnamed (!) process starting from time to time by user so called "-1, root".... listed on the buttom of the listing from ps -aux (gamin, FAM?)
setfacl -m u:-1:- /mnt
setfacl -m u:-1:- /media
setfacl -m u:apache:- /home/user
setfacl -m u:apache:- /home/surfuser
setfacl -m u:apache:- /home/toranonym
setfacl -m u:apache:- /mnt
setfacl -m u:apache:- /media
setfacl -m u:surfuser:- /etc/shadow*
setfacl -m u:toranonym:- /etc/shadow*
setfacl -m u:surfuser:- /etc/fstab*
setfacl -m u:surfuser:- /etc/mtab*
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:toranonym:- /etc/fstab*
setfacl -m u:toranonym:- /etc/mtab*
setfacl -m u:toranonym:- /etc/crypttab*
setfacl -m u:surfuser:- /etc/init.d
setfacl -m u:surfuser:- /etc/init.d/*
setfacl -m u:toranonym:- /etc/init.d
setfacl -m u:toranonym:- /etc/init.d/*
setfacl -m u:surfuser:- /etc/rc0.d
setfacl -m u:surfuser:- /etc/rc1.d
setfacl -m u:surfuser:- /etc/rc2.d
setfacl -m u:surfuser:- /etc/rc3.d
setfacl -m u:surfuser:- /etc/rc4.d
setfacl -m u:surfuser:- /etc/rc5.d
setfacl -m u:surfuser:- /etc/rc6.d
setfacl -m u:surfuser:- /etc/rc.local
setfacl -m u:toranonym:- /etc/rc0.d
setfacl -m u:toranonym:- /etc/rc1.d
setfacl -m u:toranonym:- /etc/rc2.d
setfacl -m u:toranonym:- /etc/rc3.d
setfacl -m u:toranonym:- /etc/rc4.d
setfacl -m u:toranonym:- /etc/rc.local
setfacl -m u:surfuser:- /etc/security/msec
setfacl -m u:surfuser:- /etc/security
setfacl -m u:toranonym:- /etc/security
setfacl -m u:toranonym:- /etc/security/msec
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:surfuser:- /usr/bin/*
setfacl -x surfuser /usr/bin/bash*
setfacl -x surfuser /usr/bin/unshare
setfacl -x surfuser /usr/bin/firejail*
setfacl -x surfuser /usr/bin/firefox*
setfacl -x surfuser /usr/bin/gftp*
setfacl -x surfuser /usr/bin/tor*
setfacl -x surfuser /usr/bin/xauth*
setfacl -x surfuser /usr/bin/xargs*
setfacl -x surfuser /usr/bin/sg*
setfacl -x surfuser /usr/bin/palemoon*
setfacl -x surfuser /usr/bin/export
setfacl -m u:surfuser:- /usr/libexec
setfacl -m u:surfuser:- /usr/sbin
setfacl -m u:surfuser:--x /bin
setfacl -m u:surfuser:- /bin/*
setfacl -m u:surfuser:- /sbin
setfacl -x surfuser /bin/bash*
setfacl -x surfuser /bin/certtool
setfacl -x surfuser /bin/certutil
setfacl -x surfuser /bin/basename
setfacl -x surfuser /bin/bash.old
setfacl -x surfuser /bin/p11tool
setfacl -x surfuser /bin/pk12util
setfacl -x surfuser /bin/smime
setfacl -x surfuser /bin/shlibsign
setfacl -x surfuser /bin/sign*
setfacl -x surfuser /bin/ssltap*
setfacl -m u:surfuser:--x /home/surfuser
setfacl -m u:toranonym:- /home/surfuser
setfacl -m u:surfuser:- /usr/local
setfacl -m u:surfuser:- /opt
setfacl -m u:surfuser:--x /lib64
setfacl -m u:surfuser:--x /usr/lib64
setfacl -m u:surfuser:--x /lib
setfacl -m u:surfuser:--x /usr/lib
setfacl -m u:surfuser:- /misc
setfacl -m u:surfuser:- /net
setfacl -m u:surfuser:- /sid-root
setfacl -m u:surfuser:--x /etc
setfacl -m u:surfuser:- /intel-ucode
setfacl -m u:surfuser:--x /secoff
setfacl -m u:surfuser:- /smack
setfacl -m u:surfuser:- /srv
setfacl -m u:surfuser:- /--tcp-port
setfacl -m u:surfuser:- /initrd
setfacl -m u:surfuser:- /ttf
setfacl -m u:surfuser:- /none
setfacl -m u:surfuser:- /doc
setfacl -m u:surfuser:- /firejail
setfacl -m u:surfuser:- /root
setfacl -m u:surfuser:- /usr/lib64/kde4/*
setfacl -x surfuser /usr/lib64/kde4/libexec
setfacl -m u:surfuser:- /usr/lib64/kde4/libexec/*
setfacl -x surfuser /usr/lib64/kde4/libexec/kdesu*
return
}
case "DOLLARSIGN1" in
start)
start
;;
*)
gprintf "Usage: %s {start|stop|restart|status}
" "DOLLARSIGNLINFW3_PRG"
exit 1
esac
exit DOLLARSIGNRETVAL
Notice: toranonym is our elder account for tor. Now it´s surfuser too - as general for browsing, but can be used for more privilidges, for many, many processes like for chats or global mapping like marble. surfuser only is enough - just reset belonging setfacl process by process to allow by option -x
Exchange DOLLARSIGN again with the dollar-character... and start it each boot within /etc/rc.local by the command "sh /etc/init.d/dosetfacls start" !
Change File Attributes (chattr) for example for data integrity ( option -i )
man chattr
User-Extended-Attributes must be set for the belonging partitions!
Also notice the many configuration files in the home-directory, that might get changed by you or automatically. We would resign from "chattr +i" upon them.
chattr +i -R /boot
chattr +i /etc/hosts* # Neben Root-Eigentumsrechten wichtiger Schutz vor Server-Pharming
chattr +i /etc/fstab
chattr +i /home/surfuser/.mozilla
chattr +i /home/surfuser/.mozilla/firefox/*.js
chattr +i /home/surfuser/.mozilla/firefox/profile.default/user.js
chattr +i /home/surfuser/torrc
chattr +i /home/surfuser/geoip*
chattr +i -R /home/user/.*
chattr +i -R /home/user/*
chattr -i -R /home/user/.dbus
chattr -i /home/user/.cache
chattr -i -R /home/user/.gnupg
chattr -i -R /home/user/.pulse*
chattr -i /home/user/.screenrc*
chattr -i /home/user/.esd_auth*
chattr -i /home/user/.Xauthority*
chattr -i /home/user/.Xdefaults*
chattr -i /home/user/.xsession*
chattr -i -R /home/user/.gconf*
chattr -i -R /home/user/.local*
chattr -i -R /home/user/.mcop*
chattr -i -R /home/user/.qt*
chattr -i -R /home/user/.kde*
chattr -i -R /home/user/.wine*
chattr -i -R /home/.MANY_GAMES_CONFIGS
chattr -i -R /home/user/.config*
... und create as described further above the belonging two runlevel-init-scripts (daemons) in /etc/init.d namens rc.local and dosetfacl.
Register those two scripts and active them by default in higher runlevels:
chkconfig --add rc.local && chkconfig --add dosetfacl
Advantage: regardless from packet-installations, significant ACL-access-rights were set each system boot. This keeps the system secure and makes it mouse-click-fast.
Additionally, the grsecurity-patches for the kernel (resp. root-kernel-processes), login-lock /sbin/nologin and password-protection and locking of all system- and user-accounts excecpt surfuser (and maybe a separate toruser), Sandbox Firejail (especially for the lock of the shells/terminals) and Firewall Linfw3 get in use too, beneath Tor resp. the tor-browser with firefox-extensions for script-filtering like ABP, noscript and RequestPolicyBlockContinued and more get in use too.
Set setfacl -m u:surfuser:- /usr/bin/* except for /usr/bin/bash, /usr/bin/firefox, /usr/bin/firejail, /usr/bin/sg, /usr/bin/proftp*, /usr/bin/tor*, /usr/bin/export, /usr/bin/xauth*, /usr/bin/xarg* and all communication programs, surfuser should be able to use.
rsyslog anstelle syslogd
Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, PostgreSQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user. o lmnet.so - Implementation of network related stuff. o lmregexp.so - Implementation of regexp related stuff. o lmtcpclt.so - This is the implementation of TCP-based syslog clients. o lmtcpsrv.so - Common code for plain TCP based servers. o imtcp.so - This is the implementation of the TCP input module. o imudp.so - This is the implementation of the UDP input module. o imuxsock.so - This is the implementation of the Unix sockets input module. o imklog.so - The kernel log input module for Linux. o immark.so - This is the implementation of the build-in mark message input module. o imfile.so - This is the input module for reading text file data.
You have to delete all *syslog*-init-script-files out of /etc/rc*.d/ and /etc/init.d/ .
/etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
DollarsignModLoad imuxsock # provides support for local system logging (e.g. via logger command)
Dollarsignimklog # provides kernel logging support (previously done by rklogd)
#DollarsignModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#DOLLARSIGNModLoad imudp
#DOLLARSIGNUDPServerRun 514
# Provides TCP syslog reception
#DOLLARSIGNModLoad imtcp
#DOLLARSIGNInputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
DOLLARSIGNActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#DOLLARSIGNActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
DOLLARSIGNIncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don´t log private authentication messages!
*.warn;mail.none;news.none;authpriv.none;cron.none /tmp/messages
# The authpriv file has restricted access.
authpriv.* /tmp/secure
# Log all the mail messages in one place.
mail.* -/tmp/maillog
# Log cron stuff
cron.* /tmp/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /tmp/spooler
# Save boot messages also to boot.log
local7.* /tmp/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#DOLLARSIGNWorkDirectory /var/lib/rsyslog # where to place spool files
#DOLLARSIGNActionQueueFileName fwdRule1 # unique name prefix for spool files
#DOLLARSIGNActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#DOLLARSIGNActionQueueSaveOnShutdown on # save messages to disk on shutdown
#DOLLARSIGNActionQueueType LinkedList # run asynchronously
#DOLLARSIGNActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
#
# INN
#
news.=crit /tmp/news/news.crit
news.=err /tmp/news/news.err
news.notice /tmp/news/news.notice
news.=debug /tmp/news/news.debug
/proc/sys/* - Kernel-flags &Co.: detailed configuration
sysctl.conf - variables are files out of /proc/sys
check settings by "sysctl -a"
# Kernel sysctl configuration file
# /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Kernel sysctl configuration file for CentOS and Mandriva Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
# Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_congestion_control=cubic
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# kernel.modules_disabled=0
# kernel.exec-shield=1
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG
# capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the
# current user has.
kernel.kptr_restrict=2
kernel.dmesg_restrict = 1
# kernel.yama.ptrace_scope=3
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
dev.cdrom.autoeject=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0
# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.router_solicitations=0
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
#
# ls /lib/modules/`uname -r`/kernel/net/ipv4/
# modprobe tcp_htcp
# modprobe tcp_cubic
# modprobe tcp_bbr
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR
# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.somaxconn=65535
net.core.optmem_max=25165824
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.rmem_default =212992
net.core.wmem_default =212992
net.core.netdev_max_backlog = 1000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max=65535
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_regular=1
# fs.protected_fifos=1 # this might cause overflow of processes akonadi_maildir: system runs out of capacities
# fs.dir-notify-enable=0
# fs.mount-max=20
fs.suid_dumpable=0
# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 3294967295
kernel.shmall = 3294967295
kernel.randomize_va_space = 2
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=200
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
vm.dirty_ratio=20
vm.dirty_writeback_centisecs=500
vm.dirty_background_ratio=5
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
kernel.printk =0 6 1 3
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
kernel.shmall =-1
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the current user has.
kernel.kptr_restrict=2
# ptrace: process tracing
# kernel.yama.ptrace_scope=3
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_congestion_control=cubic
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0
# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
http://www.linux-admins.net/2010/09/all-you-need-to-know-about-procsys.html
Example for ulimit, ulimit -a and sysctl -a, https://forum.altlinux.org/index.php?topic=4786.0
Link
ln -sf /usr/sbin/sysctl /sbin/sysctl
Test sysctl.conf: sysctl -p /etc/sysctl.conf and activate an error-free sysctl by daemon or in /etc/rc.local
sysctl -p /etc/sysctl.config
Disable Unwanted SUID- and SGID-Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / ( -perm -4000 -o -perm -2000 ) -print
find / -path -prune -o -type f -perm +6000 -ls
You need to investigate each reported file. See reported file man page for further details.
https://www.cyberciti.biz/tips/linux-security.html
How to Remove (Delete) Symbolic Links in Linux, linuxize.com, 09.05.2019
A symbolic link, also known as a symlink, is a special type of file that points to another file or directory. It is something like a shortcut in Windows. A symlink can point to a file or a directory on the same or a different filesystem or partition.
In this guide, we will show you how to remove (delete) symbolic links in Linux/UNIX systems using the rm, unlink, and find commands.
...
find /path/to/directory -maxdepth 1 -xtype l
https://linuxize.com/post/how-to-remove-symbolic-links-in-linux/
Safe-Linking: Making Linux exploitation harder, itweb.co.za, 05.22.2020
Businesses and users alike are constantly on the lookout for easier ways to do things, and shortcuts that help us work faster and with less effort. Unfortunately, bad actors are no different, and are always hunting for existing vulnerabilities or weaknesses, that can be exploited.
[...] A good example of this would be memory corruption attacks, which are often employed to exploit programs written in Linux, the most widely-used open source operating system in the world.
With this in mind, Check Point has created Safe-Linking, a security mechanism to protect the internal structure of the heap – or the portion of memory that is not set to a constant size before compilation and can be controlled dynamically by a programmer – from being tampered with.
[...] Simply put, Safe-Linking removes the address data for the program, so the bad actor can no longer be sure where in the system’s memory it will be loaded – making it much harder for them to launch an exploit against the program,” the company adds.
https://www.itweb.co.za/content/Kjlyrvw1ejVMk6am
https://reportcybercrime.com/safe-linking-making-linux-exploitation-harder/
Check Point schließt 20 Jahre alte Sicherheitslücke in Linux, trojaner-info.de, 26.05.2020
Das Check Point Research Team führt eine neue Schutzmaßnahme für das Betriebssystem ein, die sich Safe-Linking nennt. Uralte Schwachstelle endlich geschlossen.
Das Check Point Research Team führt eine neue Sicherheitsmethode ein, um Linux-Systeme um einiges sicherer zu machen. Den Sicherheitsforschern gelang es, eine 20 Jahre alte und bestens bekannte Sicherheitslücke endlich zu schließen.
https://www.trojaner-info.de/sicher-anonym-im-internet/aktuelles/check-point-schliesst-20-jahre-alte-sicherheitsluecke-in-linux.html
[...] In our latest research, we created a security mechanism, called "Safe-Linking", to protect malloc()’s single-linked lists from tampering by an attacker. We successfully pitched our approach to maintainers of core open-source libraries, and it is now integrated into the most common standard library implementation: glibc (Linux) and its popular embedded counterpart: uClibc-NG.
https://www.terabitweb.com/2020/05/21/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/
User auditing - The Big Brother is watching you
If you are really paranoid you might want to add a system-wide configuration to audit, what the users are doing in your system. This sections presents some tips using diverse utilities you can use.
- Input and output audit with script, 4.11.10.1
- Using the shell history file, 4.11.10.2
- Complete user audit with accounting utilities, 4.11.10.3
- Other user auditing methods, 4.11.10.4
- Reviewing user profiles, 4.11.11
- Limiting what users can see/access, 4.11.13
- Limiting access to other user´s information, 4.11.13.1
- Generating user passwords, 4.11.14
- Checking user passwords
kauditd and auditd: Linux Audit Kernel Subsystem and Linux Audit System
Who does audit the code?
kauditd: internal kernel-auditing, for example of windows-titles out of Firefox online.
Kernel-interner audit-Daemon kauditd: URL, Webseiten-Inhalte: Fentstertitel, ... (online mit Browsern wie Firefox)
"00:00:12 [kauditd] dbadmin 4182 1 4182 0 1 May18 00:02:19 /opt/vertica/spread/sbin/spread -c /home/dbadmin/DatabaseName/v_DatabaseName_node0001_catalog/spread.conf..."
https://forum.vertica.com/discussion/236239/vertica-service-not-starting-after-server-reboot
kauditd is a kernel process, which is a part of the Linux kernel responsible for the kernel audit events (and communicates with the auditd process). The special brackets surrounding it are telling you that this is not a regular (userland) process (launched through a command), but a kernel process (started/managed by the Linux kernel itself)
https://wiki.gentoo.org/wiki/SELinux/Tutorials/The_security_context_of_a_process
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
System startup and shutdown events (reboot / halt).
Date and time of the event.
User respoisble for the event (suh as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file &commands).
Success or failure of the event.
Records events that modify date and time.
Find out who made changes to modify the system´s network settings.
Record events that modify user/group information.
See who made changes to a file etc.
See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html
kauditd und auditd: Kernel- und Linux Audit System
Who does audit the audit code?
How to use Auditing System in Linux - Configure, Audit Logs and ...
Well, the Linux Auditing system is the answer for all the above questions. The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report – which can be later analyzed and investigated for suspicious activity.
https://techglimpse.com/how-to-use-auditing-system-in-linux-configure-audit-logs-and-generate-reports/
See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html
The Linux audit subsystem is not one of the best-loved parts of the kernel. It allows the creation of a log stream documenting specific system events — system calls, modifications to specific files, actions by processes with certain user IDs, etc. For some, it is an ideal way to get a handle on what is being done on the system and, in particular, to satisfy various requirements for security certifications (Common Criteria, for example). For others, it is an ugly and invasive addition to the kernel that adds maintenance and runtime overhead without adding useful functionality. More recently, though, it seems that audit adds some security holes of its own. But the real problem, perhaps, is that almost nobody actually looks at this code, so bugs can lurk for a long time.
The system call auditing mechanism creates audit log entries in response to system calls; the system administrator can load rules specifying which system calls are to be logged. These rules can include various tests on system call parameters, but there is also a simple bitmask, indexed by system call number, specifying which calls might be of interest. One of the first things done by the audit code is to check the appropriate bit for the current system call to see if it is set; if it is not, there is no auditing work to be done.
[...] In summary, the code is a giant mess. The way it works is nearly incomprehensible. It contains at least one severe bug. I´d love to see it fixed, but for now, distributions seem to think that enabling CONFIG_AUDITSYSCALL is a reasonable thing to do, and I´d argue that it´s actually a terrible choice for anyone who doesn´t actually need syscall audit rules. And I don´t know who needs these things.
It is telling, though, that this particular vulnerability has existed in the audit subsystem almost since its inception. The audit code receives little in the way of review; most kernel developers simply turn it off for their own kernels and look the other way. But this subsystem is just the sort of thing that distributors are almost required to enable in their kernels; some users will want it, so they have to turn it on for everybody. As a result, almost all systems out there have audit enabled (look for a running kauditd thread), even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
If audit were to be implemented today, the developer involved would have to give some serious thought, at least, to using the tracing mechanism. It already has hooks applied in all of the right places, but those hooks have (almost) zero overhead when they are not enabled. Tracing has its own filtering mechanism built in; the addition of BPF-based filters will make that feature more capable and faster as well. In a sense, the audit subsystem contains yet another kernel-based virtual machine that makes decisions about which events to log; using the tracing infrastructure would allow the removal of that code and a consolidation to a single virtual machine that is more widely maintained and reviewed.
The audit system we have, though, predates the tracing subsystem, so it could not have been based on tracing. Replacing it without breaking users would not be a trivial job, even in the absence of snags that have been glossed over in the above paragraph (and such snags certainly exist). So we are likely stuck with the current audit subsystem (which will certainly not be marked "broken" in the mainline kernel) for the foreseeable future. Hopefully it will receive some auditing of its own just in case there are more old surprises lurking therein.
Posted May 30, 2014 6:50 UTC (Fri) by bnorris (subscriber, #92090) [Link]
&g; As a result, almost all systems out there have audit enabled
DOLLARSIGN grep CONFIG_AUDIT /boot/config-´uname -r´
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
( You might want to comment them in ... )
> (look for a running kauditd thread)
None here.
&g; even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
I´m not an expert on the kaudit subsystem (in fact, I just learned of it), but it looks like kauditd is only spawned in response to a user-space request for it (e.g. from SELinux auditd). See kernel/audit.c:...
https://lwn.net/Articles/600568/
man auditd
man auditd.conf
Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):
auditctl -e0 # for example within /etc/rc.local
Disable auditd permanently (this will require a reboot):
systemctl disable auditd
http://kb.ictbanking.net/article.php?id=632
kauditd - CentOS | Forum
kauditd. General support questions including new installations. How to disable kauditd? I tried to put audit=0 to the kernel line in grub, but no luck....
www.centos.org/forums/viewtopic.php?t=10899
kauditd might care for connection even with SELinux from NSA. So why did he had no luck with it? Boot-parameter "audit=0" (for grub: within /boot/grub/menu.lst) does prevent from kernel audit named kauditd ever starting: no auditing like firefox by the kernel anymore!
Disable the OOM Killer (process oom_reaper), The Ubuntu Forum Community, Ubuntu Specialised Support, January 2nd, 2014
As the title suggests, regardless of the repercussions, how do you disable this "feature".
Please do not provide alternate suggestions such as "get more ram" or "tell the program to use less memory".
I´m running a Minecraft server that has its heap space and permgen configured to use nearly all of the available memory on the vps where it resides. I have a highly specific reason for doing this and no, it has never caused me any problems in the past.
Yes the OOM Killer is killing the process see: OOM killed process 659 (java) vm:4973220kB, rss:2066504kB, swap:0kB
Who ever thought killing processes that are consuming beyond a specific amount of memory was a good idea, you have caused me and, the users of my server immeasurable levels of frustration. I am no Linux guru, so any help would be appreciated so long as that help reads "To disable the oom-killer do X".
Thank you in advance.
Re: Disable the OOM Killer
http://thetechnick.blogspot.com/2010...-on-linux.html
http://www.oracle.com/technetwork/ar...r-1911807.html
The OOM killer can be completely disabled with the following command. This is not recommended for production environments, because if an out-of-memory condition does present itself, there could be unexpected behavior depending on the available system resources and configuration. This unexpected behavior could be anything from a kernel panic to a hang depending on the resources available to the kernel at the time of the OOM condition.
sysctl vm.overcommit_memory=2 # mouseclick-fast
echo "vm.overcommit_memory=2" >> /etc/sysctl.conf
[...] Re: Disable the OOM Killer
Hi, Psionic,
I was having the same difficulties. You report that the oom-killer is still killing your process, I suggest either properly fully disabling the oom-killer or lowering the overcommit ratio, as follows:
Disabling OOM Killer
According to: https://www.kernel.org/doc/Documenta...ups/memory.txt
Code:
You can disable the OOM-killer by writing "1" to memory.oom_control file, as:
# echo 1 > memory.oom_control # (unknown variable by sysctl, remark, Gooken)
Reducing Overcommit Ratio
According to https://www.kernel.org/doc/Documenta...mit-accounting
Code:
2 - Don´t overcommit. The total address space commit for the system is not permitted to exceed swap + a configurable amount (default is 50%) of physical RAM.
Depending on the amount you use, in most situations this means a process will not be killed while accessing pages but will receive errors on memory allocation as appropriate.
Useful for applications that want to guarantee their memory allocations will be available in the future without having to initialize every page.
The overcommit policy is set via the sysctl ´vm.overcommit_memory´.
The overcommit amount can be set via ´vm.overcommit_ratio´ (percentage) or ´vm.overcommit_kbytes´ (absolute value).
There´s a rather good article on this topic http://www.linuxdevcenter.com/pub/a/...ry.html?page=1
Of course, in general if you´re getting processes killed it means there´s a problem with using more memory than the system can cope with, and the symptoms are very likely to come out somewhere else. In my case the oom-killer was definitely picking the right process, even though it was the primary purpose of the whole computer: the program had a data-dependent bug and was allocating memory out of control.
I hope that helps.
Kind regards,
...
https://serverfault.com/questions/606185/how-does-vm-overcommit-memory-work
More about oom_reaper
ttps://stackoverflow.com/questions/35791416/how-to-disable-the-oom-killer-in-linux
https://lwn.net/Articles/666024/
https://lwn.net/Articles/668126/
https://code.woboq.org/linux/linux/mm/oom_kill.c.html
https://www.oracle.com/technical-resources/articles/it-infrastructure/dev-oom-killer.html
https://superuser.com/q/1150215
https://ubuntuforums.org/showthread.php?t=2197016
https://askubuntu.com/q/1188024
https://unix.stackexchange.com/q/432171
https://blog.csdn.net/s_lisheng/article/details/82192613
rtkit-daemon (rpm rtkit)
Description: "RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes.".
https://fr2.rpmfind.net/
"I´s...a management daemon so to say. Instead of applications asking the kernel directly (and needing proper permissions for this, usually root) they ask the daemon. The daemon can hand out the realtime permissions then according it its configuration (/etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf). It´s simply a helper process that allows applications to ask for realtime permissions through dbus...not really much more. But having such a helper process makes the whole procedure much more secure (no suid root needed for some programs), cleaner (dbus interface) and more flexible (one daemon to configure, not each program with an own configuration..if at all)."
For rtkit isn´t almost needed, as we got told in the internet above, and there are no real dependencies from it, it´ might not be a bad idea to deinstall it:
"rpm -e --nodeps rtkit"
... same eventually with Packagekit (el6), gvfsd (gvfs (el6) and so on: just deinstall them! The less (not really needed daemons do run under root, the more secure the system might behave...
netns, migration/0, kintgerityd, oom_reaper, ... ( one of them lists the actual website-title!)
Kernel-daemons almost can´t get deactivated manually! This might be possible by removing some (not needed) kernel-modules by rmmod, delmod or kernel-configuration only (within file .config).
netns
Running strongSwan in Network Namespaces (netns) on Linux
Normally, the network stack (interfaces, routing tables, firewall rules etc.) is shared by all processes running on an operating system. With Linux network namespaces (netns) it´s possible to have multiple separate instances of the network stack.
Note: While basic support for network namespaces was added to the Linux kernel a long time ago, some features (e.g. CLUSTERIP support) might require a recent kernel.
The easiest way to work with network namespaces is to use the ip command of the iproute2 package. These commands will have to be executed as root (i.e. with sudo on most distros).
Network Namespace Basics
To create a new netns use the following command:
# ip netns add <network namespace name>
A list of all currently defined netns is provided by ip netns list.
Interfaces can be assigned to a netns with the ip link command:
# ip link set <interface name> netns <netns name>
If you run ip link list afterwards such an interface won´t be seen as it is only available in the configured netns.
So to actually list the interface in a specific netns it´s required to be able to run commands in a specific netns. This can be done with the ip netns exec command. So to get a list of interfaces defined in a specific netns use:
# ip netns exec <netns name> ip link list
If only one physical interface is available, or if you don´t want to assign physical interfaces to the netns for other reasons, it´s possible to create virtual Ethernet interface pairs (veth, provided via CONFIG_VETH). These are like a bi-directional pipe (i.e. what´s written to one end comes out the other and vice-versa) of which one end is placed inside the netns and the other stays outside in the "default" or "global" namespace.
To create such a pair use:
# ip link add <interface name 1> type veth peer name <interface name 2>
This creates two connected Enthernet interfaces with the given names. One is assigned to a netns (via ip link) the other is not (it doesn´t matter which one and it´s also possible to assign both interfaces to two different netns to connect them). How the outer interface is used depends on the use case, it may be put inside a bridge, or used in routing rules to route traffic to and from a netns.
Since interfaces assigned to a netns are disabled they have to be enabled first, and they will probably also require an IP address, which can be done with:
# ip netns exec <netns name> ip addr add x.x.x.x/x dev <iface name>
# ip netns exec <netns name> ip link set dev <iface name> up
Similar to these commands routes or firewall rules may be added by running ip route or iptables inside a specific netns via ip netns exec <command>.
Running a single instance of strongSwan inside a netns is straight-forward. Simply run ipsec commands via ip netns exec ipsec <command>.
But more interesting is probably running multiple instances of strongSwan in separate namespaces. Because all netns share the same file system this is a bit tricky.
Luckily, the ip netns exec command provides a helpful feature: Every file found in /etc/netns/<name>/ for a given netns is bind mounted over its corresponding counterpart in /etc (so it has to exist there). This can be used to provide different config files for each instance, but may also be used to redirect the so called piddir, where the charon and starter daemons create their PID files and UNIX sockets (the default is to use /var/run, which would conflict if multiple instances would use it).
To do so make sure strongSwan is configured with --sysconfdir=/etc and e.g. --with-piddir=/etc/ipsec.d/run. Then after building and installing strongSwan the piddirs can be created as follows:
# mkdir -p /etc/ipsec.d/run
# mkdir -p /etc/netns/<netns name 1>/ipsec.d/run
# mkdir -p /etc/netns/<netns name 2>/ipsec.d/run
https://wiki.strongswan.org/projects/strongswan/wiki/Netns
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons.
https://fr2.rpmfind.net
Block network access of a process, unix.stackexchange.com
It is possible to block the (outgoing) network access of a single process in different ways: by unshare / nsenter, ip-netns, iptables, apparmor and firejail.
https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process
Notice: We use right above mentioned command "unshare" for starting firejail (for sandboxing firefox (including for example libtrace.so of different file-sizes the versions) by the command "unshare firejail..." etc)., psad (/etc/init.d/psad: prog="unshare psad"), uuidd (/etc/init.d/uuidd with prog="unshare uuidd" and "daemon.... unshare DOLLARSIGNDAEMON" within the start-function, apparmor-dbus out of /etc/rc.local, messagebus (/etc/init.d/messagebus with processname="unshare dbus-daemon", dbus), gpm (/etc/init.d/gpm with "daemon "unshare /usr/sbin/gpm" -m ... ), cups (/etc/init.d/cups with "daemon "unshare cups" ...), dm (again in /etc/init.d/dm), X (X11, ServerCmd=/usr/bin/unshare /usr/bin/X within (resp., to be more concrete, follow the linking of) /usr/share/config/kdm/kdmrc: enhance the command for execution of X with unshare: "ServerCmd=/usr/bin/unshare /usr/bin/X"), kdm (/usr/share/config/kdm/kdmrc with "Preloader=/usr/bin/unshare /usr/bin/preloadkde", haldaemon (/etc/init.d/haldaemon), udevd (in /sbin/start_udev with "else /usr/bin/unshare /sbin/udevd -d ..."), polkitd (/etc/xdg/polkit-gnome-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-gnome-authentication-agent-1" and /etc/xdg-polkit-kde-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-kde-authentification-agent-1 ), konsole and xterm, dolphin, drakconf.real resp. drakconf (MCC), network-ready-games like gl-117, trackballs, extremetuxracer, marsshooter, freedroidrpg, orbital, xonotic etc. in future (do them all just to be careful)! Some kernel-modules like for usblp for USB-printer by unshare (for example in /etc/rc.loca): unshare COMMA-ABOVE-FOR-EXECUTIONmodprobe usblpCOMMA-ABOVE-FOR-EXECUTION,
graphic-card (just experimentel): unshare COMMA-ABOVE-FOR-EXECUTIONi915COMMA-ABOVE-FOR-EXECUTION, mainboard (just experimentel!): unshare COMMA-ABOVE-FOR-EXECUTIONlpc_ichCOMMA-ABOVE-FOR-EXECUTION, (less experimentel): unshare COMMA...modprobe videoCOMMA..., but still NOT functioning are those "unshared" ones for internal kernel-processs like kernel-daemon netns (/etc/rc.local): "unshare --net --mount -p pidof netns", oom_reaper (/etc/rc.local): "unshare --net --mount -p pidof oom_reaper", migration/0 (/etc/rc.local): "unshare --net --mount -p pidof migration/0". Also try firejail for a sandboxed network namespace by option net, netfilter, join-network=name|pid and netns, see man firejai, section join-network for good examples also doing fine with Linfw3 (through iptables-restore and iptables-save) or try slirp4netns (OpenSuSE 15.2).
rsyslog (runlevel-init-script /etc/init.d/rsyslog, line with daemon: .daemon --pidfile="DOLLARSIGNPIDFILE" unshare DOLLARSIGNexec -i "DOLLARSIGNPIDFILE&uqot; DOLLARSIGNSYSLOGD_OPTIONS
... eventually try the same with unshare within /etc/init.d/cups!
Especially hardening the root- and suid-processes by unshare makes the computer secure (as quit all remaining riscs do depend from kernel-processes now) and, as we, believe it or not, really meant having recognized, very mouseclick-fast too!
Always open resp. start programs resp. applications not allowed to communicate in any net with unshare or with adequate options of firejail, even within the terminal, k-menu, context-menu (service-menu), directory desktop, quick starter and quick launcher! Use unshare even for firejail itself, especially whenever firejail got a sandbox for the a browser like firefox: we show the complete resulting command for this case further below!
OK, we show the meant command to start Tor and Firefox bt Firejail through unshare ( unexplaineds ) from further below already right at this place:
sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/palemoon.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"
watchdogd: How can I disable a watchdog, once it has been enabled?
Normally to shut down the watchdog driver you have to write a ´V´ character to /dev/watchdog which you could do from a root bash prompt just with:
echo ´V´ > /dev/watchdog
However, before you try to create your own watchdog driver take a look at the existing Linux watchdog daemon to see, if it can do the job. A good start is my page here: http://www.sat.dundee.ac.uk/~psc/watchdog/Linux-Watchdog.html
https://unix.stackexchange.com/questions/144588/how-can-i-disable-a-watchdog-once-it-has-been-enabled
Increase kernel integrity with disabled Linux kernel modules loading
Increasing Linux kernel integrity
Disable loading kernel module on Linux systems, linux-audit.com
The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded.
Disable kernel modules
Newer kernel modules have a sysctl variable named kernel.modules_disabled.
Sysctl is the tool which allows you to see and change kernel settings of a running system. The related /etc/sysctl.conf file is used to ensure that your settings are also used at the next boot of the system.
The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a"0" will still allow loading them.
Using this option will be a great protection against loading malicious kernel modules. For example, it may help to counter rootkits. Needless to say, but when someone was already been able to gain root access, you have a serious problem. Still, setting this security measure can be useful to achieve maximum hardening of your Linux system. An altered script or program has no chance of loading things you didn’t specifically approve.
[...] By default, the sysctl key is set to"0", which means new modules can be loaded. This is a safe default for systems but also allows malicious modules to be loaded.
# sysctl -a | grep modules
kernel.modules_disabled = 0
Now we disable loading new modules, by using the sysctl key and set it to"1". There are two ways of doing it, using sysctl directly or echo the value to a file on the pseudo file system /proc, which holds the kernel settings.
# echo 1 > /proc/sys/kernel/modules_disabled
Protection against re-enabling
You might think that loading a kernel module is as simple as re-enabling the option and then still load your kernel module. The kernel has a built-in protection, to avoid this from happening. Trying to set the value back to"0" will result in an"invalid argument" message.
Sysctl showing invalid argument when trying to set value
As can be seen, sysctl will say the value is set to"0". However, the value isn’t applied, as this key is read-only. Slightly confusing, and therefore always good to check the value again.
# sysctl kernel.modules_disabled
kernel.modules_disabled = 1
As expected, the value is still set to"1".
Disable module loading after boot time
By configuring the /etc/sysctl.conf file we can disallow the loading of kernel modules at boot time. Simply add the related line, with the value"1" as shown in the example.
Caveat: Things might break
Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases.
Hybrid option
Instead of enabling the option directly via /etc/sysctl.conf, it might be better to activate this setting after booting and loading required modules.
Your startup script could be looking like
#!/bin/sh/ # code by Gooken
sleep 45 # original text: 300; decrease this time, if usb and all modules are working fine, if not, test checkout lsmod and increase it
# insmod <module>
# insmod <module>
modprobe usb_storage
modprobe vfat
modprobe fat
modprobe nls_iso8859_1
modprobe nls_cp437
modprobe cryto_simd
modprobe glue_helper
modprobe dax
modprobe uinput
modprobe ahci
modprobe libahci
modprobe ecb
modprobe af_alg
modprobe algif_skcipher
modprobe lrw
modprobe gf182mul
modprobe cbc
modprobe aes_x86_64 # for USB, that might be LUKS-encrypted
modprobe twofish_common
modprobe twofish_x86_64_3way
modprobe twofish_x86_64
modprobe twofish_generic
echo 1 > /proc/sys/kernel/modules_disabled
Usually to get iptables working, these are the related modules: iptables, x_tables, iptable_filter.
Depending on your Linux distribution, the startup should be loaded as late as possible. If you have /etc/rc.local available, that is usually a safe bet.
Do you use this option already? Or found some other caveats? Like to hear your feedback in the comments.
https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/
In other words: write the small routine from above into a runlevel-init-script (for example this of /etc/init.d/linfw3 renamed to /etc/init.d/modules-disabled) right into the start function, where it is executed by the command start & (and not just the command "start") in the background. Before this is done, remove all code not needed anymore from this script. Now the script itself is executed not as usual by chkconfig, ntsysv7, the MCC (drakconf) or systemd, but only out of /etc/rc.local by the command "sh /etc/init.d/modules-disabled start".
kernel.printk.* in /etc/sysctl.conf
kernel.printk =0 6 7 0 # The four values in printk denote: console_loglevel, default_message_loglevel, minimum_console_loglevel and default_console_loglevel respectively.
0=emerg, 1=alert, 2=crit, ...
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
https://unix.stackexchange.com/questions/13019/description-of-kernel-printk-values
Regelmäßig Logs analysieren
Speichere logs in vorgesehene Log-Server. Damit wird verhindert, dass Eindringlinge auf einfache Art Modifikationen an Log-Dateien vornehmen. Hier noch einmal namentlich die in Linux üblichen Log-Dateien und ihre Verwendung:
/var/log/message - Hier protokolliert mehr oder weniger das gesamte System
/var/log/auth.log - Authentifizierung
/var/log/kern.log - Kernel-Logs.
/var/log/cron.log - Crond-Logs (cron job).
/var/log/maillog - Mailserver-Logs
/var/log/boot.log - System-boot-Log
/var/log/mysqld.log - Logdatei des MySQL-Datenbankservers
/var/log/secure - Authentifizierung
/var/log/utmp oder /var/log/wtmp : Protokolliert die records-Dateien
/var/log/yum.log: Yum-Logdatei
https://www.tecmint.com/linux-server-hardening-security-tips/
Prevent too informative system information in logfiles
The system-log-level reach from debug over info, warning up to emerg. A detailed protocolling is something to think about, they can be read out by users as much as processes. For outputs of dmesg log-level "warning" might restrict delivered protocol-information:
/etc/init.d/rklogd
RKLOGD_OPTIONS="-c 4"
Using and customizing logcheck
The logcheck package in Debian is divided into the three packages logcheck (the main program), logcheck-database (a database of regular expressions for the program) and logtail (prints loglines that have not yet been read). The Debian default (in /etc/cron.d/logcheck) is that logcheck is run every hour and after reboots.
This tool can be quite useful if properly customized to alert the administrator of unusual system events. Logcheck can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file /etc/logcheck/logcheck.conf, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/ignore.d.workstation/_packagename_. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a wishlist bug). For more information read /usr/share/doc/logcheck/README.Debian.
The best way to configure logcheck is to edit its main configuration file /etc/logcheck/logcheck.conf after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. logcheck-database has three report levels of increasing verbosity: workstation, server, paranoid. "server" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to /etc/logcheck/logcheck.logfiles. It is tuned for default syslog install.
Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see regex(7) and egrep(1)) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It´s an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky).
Configure, where alerts are sent
Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.
For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems).
Root´s mail should be considered also, many security controls (like snort) send alerts to root´s mailbox. This mailbox usually points to the first user created in the system (check /etc/aliases). Take care to send root´s mail to some place where it will be read (either locally or remotely).
There are other role accounts and aliases on your system. On a small system, it´s probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator´s personal mailbox.
Firefox: Copy the secure libssl*, libnss* and libnspr4* of tor-Browser (ESR) or out of an actual Firefox like 63 to Firefox (ESR, same version as tor-browser) into /usr/lib64/firefox/ followed by chown root:root and chmod 755 upon them.
Protecting against ARP-attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then, if the IP isn´t present, in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking, that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:
Use a static ARP cache. You can set up "static" entries in your ARP cache with:
arp -s host_name hdwr_addr
By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored.
Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.
Secure up services running on your system
SSH, Squid, FTP, X-Window-System, Display-Manager, Druckerzugriff, Mail-Dienst, BIND, Apache, Finger, chroot- and suid-paranoia, Cleartext-passwort-paranoia, deactivating NIS, deactivating RPC-services:
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html
Package signing
https://www.debian.org/doc/manuals/securing-debian-howto/ch7.de.html
Remote vulnerability assessment tools
The tools provided by Debian to perform remote vulnerability assessment are:
nessus, raccess, nikto (whisker´s replacement)
By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.
Network scanner tools
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:
nmap, xprobe, p0f, knocker, isic, hping2, icmpush, nbtscan (for SMB /NetBIOS audits), fragrouter, strobe (in the netdiag package), irpas
While xprobe provide only remote operating system detection (using TCP/IP fingerprinting, nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.
Designed specifically for SMB networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.
Virtual Private Networks
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network´s topology.
Debian provides quite a few packages to set up encrypted virtual private networks:
vtun, tunnelv (non-US section), cipe-source, cipe-common, tinc, secvpn, pptpd, openvpn, openswan (http://www.openswan.org/)
The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade HOWTO (covers IPsec and PPTP), VPN HOWTO (covers PPP over SSH), Cipe mini-HOWTO, and PPP and SSH mini-HOWTO.
Also worth checking out is Yavipin, but no Debian packages seem to be available yet.
Reaction in the case of user-idle-state, https://wiki.centos.org/HowTos/OS_Protection
Now that we´ve restricted the login options for the server, lets kick off all the idle folks. To do this, we´re going to use a bash variable in /etc/profile. There are some reasonably trivial ways around this of course, but it´s all about layering the security.
echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh
Restrictions for cron and at, https://wiki.centos.org/HowTos/OS_Protection
In some cases, administrators may want the root user or other trusted users to be able to run cronjobs or timed scripts with at. In order to lock these down, you will need to create a cron.deny and at.deny file inside /etc with the names of all blocked users. An easy way to do this is to parse /etc/passwd. The script below will do this for you.
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/at.deny
Lockdown Cronjobs
Cron has it´s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ´ALL´ line to cron.deny file.
# echo ALL >>/etc/cron.deny
Cron Scheduling Examples in Linux: https://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/
https://www.tecmint.com/linux-server-hardening-security-tips/
Sysctl Security, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. If these lines exist, modify them to match below. If they don´t exist, simply add them in. If you have multiple network interfaces on the server, some of these may cause issues. Test these before you put them into production. If you want to know more about any of these options, install the kernel-doc package, and look in Documentation/networking/ip-sysctl.txt
# Kernel sysctl configuration file
# /etc/sysctl.conf
# test with sysctl -p /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
# Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
kernel.dmesg_restrict = 1
kernel.randomize_va_space = 1
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
vm.overcommit_memory=2 # mouseclick-fast
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mouseclick-fast
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 0
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR
# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0
#
# BBR - Netwerkturbo für Linux
# Die neue Flusskontrolle erscheint aber auch ideal für Server im lokalen Netzwerk, die hin und wieder die Netzwerkbandbreite voll ausschöpfen sollen, etwa bei der Übertragung großer Dateien bei NAS-Geräten, Nextcloud- oder
# Streamingservern.
# https://www.pcwelt.de/ratgeber/BBR-Netzwerkturbo-fuer-Linux-im-Ueberblick-10612165.html
# net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.netdev_max_backlog = 5000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
fs.file-max=65535
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 134217728
kernel.shmall = 4294967296
kernel.randomize_va_space = 2
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1# sysctl.conf(5) for more details.
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
kernel.dmesg_restrict = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0
# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.default.router_solicitations=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.core.rmem_default =212992
net.core.wmem_default =212992
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mausklick-schnell
# or: vm.overcommit_kbytes=
vm.page-cluster =3
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1
Gooken´s excellent DNS-security-concept, details from much further below: "DNS-surf-mask" local (etc/hosts/) for fundamental domain-IP including some blocks, followed by pdnsd (the local DNS-proxy/DNS-server with adjustable long-time storage) and finally tordns (the anonymizing DNS-Server of Tor (the Onion Router), tor-resolve)
Deactivate IPv6, https://help.ubuntu.com/community/StricterDefaults
IPv6 is part of a Linux-kernel since 2.6.28. Such addresses do never change. If IPv6 is configured wrong, it can cause troubles within a network and for DNS-queries.
IPv6 is enabled on Ubuntu by default. Most firewalls (like LINFW3) only apply to IPv4, and completely ignore IPv6. If you don´t use IPv6 at all, you can prevent it loading at boot time by changing alias net-pf-10 ipv6 to alias net-pf-10 off in /etc/modprobe.d/aliases resp. /etc/modprobe.conf and scheduling a reboot.
RedHat Enterprise Linux / CentOS / Fedora Core:
/etc/modprobe.conf, change line:
alias net-pf-10 ipv6
into:
alias net-pf-10 off
alias ipv6 off
and restart the computer.
RedHat Enterprise Linux / CentOS / Fedora Core / Mandriva:
Add the following entry to /etc/sysconfig/network:
NETWORKING_IPV6="no"
... and restart the system.
ktune: Kernel-Tuning resp. by boot-options ( /etc/init.d/ktune, if not already done in /boot/grub/menu.lst)), so make it mouseclick-fast
/etc/sysctl.d/*
nano /etc/sysctl.d/01-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
nano /etc/sysctl.d/10-ptrace.conf
kernel.yama.ptrace.scope=3
nano /etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict=1
nano /etc/sysctl.d/armci.conf
# Controls the maximum shared segment size, in bytes, siehe auch /etc/sysctl.conf
kernel.shmmax = 134217728
nano /etc/sysctl.d/libvirtd
The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
Start ktune
sh /etc/init.d/ktune start
Deactivate IPv6
This article describes, howto deactivate the IPv6 support for Linux and Windows. Dies kann aus Sicherheitsgründen sinnvoll sein, solange man IPv6 noch nicht produktiv einsetzt. Damit kann verhindert werden, dass man eine IPv6 Adresse erhält, sobald ein IPv6 Router Advertisement Daemon in einem Netz verfügbar ist. Außerdem sind bestehende Firewall Rules oft nicht für IPv6 gültig. In diesem Fall hätte man dann unter Umständen Dienste per IPv6 zugänglich die man eigentlich mit einer IPv4 Regel unterbunden hat. Unter Linux gibt es das eigene Kommando "ip6tables" zur Verwaltung der IPv6 Firewall Rules.
1 Ubuntu
2 RHEL / CentOS
Ubuntu
In Ubuntu 10.04, 12.04, 14.04 und 16.04 ist IPv6 direkt in den Kernel kompiliert und wird nicht als Modul geladen. Die einfachste Methode um IPv6 zu deaktivieren ist den passenden sysctl Parameter zu setzen. Temporär kann dies mit folgendem Kommando erfolgen:
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
Um diese Einstellung dauerhaft vorzunehmen bietet es sich an auf die sysctl Funktionalitäten zurückzugreifen. Dafür einfach eine Datei namens /etc/sysctl.d/01-disable-ipv6.conf anlegen mit folgendem Inhalt:
net.ipv6.conf.all.disable_ipv6 = 1
Nach dem nächsten Reboot ist IPv6 dann deaktiviert.
Am besten kann dies mit dem Kommando "ip addr show" überprüft werden. Es darf dann keine Einträge mit dem Text "inet6" mehr geben.
ip addr show | grep inet6
RHEL / CentOS
Unter RHEL 6 / CentOS 6 (with many patches/updates by Jonny Hughes, NY, kann die Deaktivierung von IPv6 ident wie unter Ubuntu via sysctl erfolgen (siehe oben).
In RHEL 4 / CentOS 4 ist IPv6 als Modul integriert. Um dieses zu deaktiveren einfach folgende Zeile in der Datei /etc/modprobe.conf hinzufügen:
install ipv6 /bin/true
Die Überprüfung, ob es geklappt hat, kann mit dem Kommando "ip addr show | grep inet6" oder alternativ mit dem Kommando
lsmod | grep -i ipv6
TCP Wrapper, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. The TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. A restrictive example is below. This example blocks everything but ssh:
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ´system-config-selinux´, ´getenforce´ or ´sestatus´ commands.
# sestatus
If it is disabled, enable SELinux using the following command.
setenforce enforcing
It also can be managed from ´/etc/selinux/config´ file, where you can enable or disable it.
https://www.tecmint.com/linux-server-hardening-security-tips/. Bootparameter in /boot/grub/menu:lst: "selinux=1"
AppArmor or SELinux?, forum.ubuntuusers.de
Why does Ubuntu not use SELinux, ... I see it so too.... I have no trust anymore. . Tom-L. Beiträge form year 2007 ( five years before Snowden´s publications...): 1181.
@glasen
Many thanks, I am going to reed it having time next morning..
@timmy11
Soso, NSA aso. Hmm, I would for myself wouldn´t bother about ... I mean, ok, of it would be our government Bundesregierung... Bundes-trojan :lol:
No, but to be serious: Security against third parties may be higher, if institutes like NSA are involved, but I feel the shabby smell with it too.
timmy11
Maybe someone can convince us from the opposite.
For me America means (... the governmental organizations): I like everything to know and to snoop upon.
Murdoc
Avatar von Murdoc
I also see this....I simple do not have any trust anymore:(
Tom L.: I mean having read, that SELinux is an official part of the kernel. Therefore I believe, that Kernel developer ( and more than only the same one) has studied the source code carefully.
glasen: Sorry, but I can not stand your paranoia.
Obviously NSA become a member to develope SELinux, but as Linux is open-source free software, it is impossible for NSA to keep any backdoors secretly open.
If there were one line code, that could not stand Peer-Review, SELinux would never be a part of the kernel-sources!
Murdoc: I believe this too, but they have studied everything, but there are also kernel-exploits :-/
If secret services would do this, intergrating backdoors within the kernel ..., then certainly not by a project like SELinux, but through other parts of the kernel.
comm_a_nder: Hey, boys, think about it.
Mosurft: Generally I do not feel well connecting SELinux made by NSA, even for - I do believe - noone can study and analyze each part of the source-code. Anyoune does always not notice anything, otherwise there would be no lacks in security and even a secret service has got the most interest in getting and checking a PC with the click on the buttom, in order to check out PCs...
I´d like to know, who runs SELinux on a computer with Ubuntu and how it functions! And if someone does not like SELinux, what about Grsecurity? Did anyone check it out?
Greetings, Mo.
comm_a_nder: If i said it in the wrong way and you feel attacked in person, it makes me sorry.
Back to the theme: Especially the parts of software added by NSA, have been checked out well. But as I told you, there were surely much more effective ways for the boys from "Crypto City" to migrate code into kernel-source.
Murdoc. As we are going on paranoidal, I ask for the BIOS.
Now, as ASUS offers a Minimal Linux to browse, the question is posed, what the BIOS is all enabled to do?
Mosurft: If I do not trust the BIOS, then I better do not use any computer...! ;)
...
https://forum.ubuntuusers.de/topic/apparmor-oder-selinux
Introduced mainboard ITX-220 comes with in- and deactivable BIOS-LAN-Chip and Coretemp for the regulation of the temperature... Next point: SELinux. As our excurs shows, it is suspicously not needed. So we´d prefer to deactivate it right within the boot-paramters.
Review Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:
/var/log/message - Where whole system logs or current activity logs are available.
/var/log/auth.log - Authentication logs.
/var/log/kern.log - Kernel logs.
/var/log/cron.log - Crond logs (cron job).
/var/log/maillog - Mail server logs.
/var/log/boot.log - System boot log.
/var/log/mysqld.log - MySQL database server log file.
/var/log/secure - Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
https://www.tecmint.com/linux-server-hardening-security-tips/
Shared Memory (shm und tmpfs, siehe unsere /etc/fstab im noch Folgenden), https://help.ubuntu.com/community/StricterDefaults
By default, /run/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /run/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /run/shm read/write. To change this setting, edit the /etc/fstab file to include the following line:
none /run/shm tmpfs defaults,ro 0 0
resp. http://joshrendek.com/2013/01/securing-ubuntu/ :
A common exploit vector is going through shared memory (which can let you change the UID of running programs and other malicious actions). It can also be used as a place to drop files once an initial breakin has been made. An example of one such exploit is available here.
Open /etc/fstab/:
tmpfs /dev/shm tmpfs defaults,ro 0 0
This will mount /run/shm in read-only mode. Note: MANY programs will not work if you make /run/shm read-only (e.g. Google Chrome).If you have a good reason to keep it writable, put this line in /etc/fstab instead:
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.
The changes will take effect the next time you reboot, unless you remount /run/shm with the command sudo mount -o remount /run/shm.
SSH Settings, https://help.ubuntu.com/community/StricterDefaults
While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:
sudoedit /etc/ssh/sshd_config
For a Gnome editor, press Alt+F2 and use:
gksudo gedit /etc/ssh/sshd_config
For a KDE editor, press Alt+F2 and use:
kdesu kate /etc/ssh/sshd_config
Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:
service ssh restart (CentOS: sh /etc/init.d/sshd restart)
..., https://help.ubuntu.com/community/StricterDefaults .
Configuring bastille, http://joshrendek.com/2013/01/securing-ubuntu/
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system´s current state of hardening, granularly reporting on each of the security settings with which it works.
File permissions module: Yes (suid)
Disable SUID for mount/umount: Yes
Disable SUID on ping: Yes
Disable clear-text r-protocols that use IP-based authentication? Yes
Enforce password aging? No (situation dependent, I have no users accessing my machines except me, and I only allow ssh keys)
Default umask: Yes
Umask: 077
Disable root login on tty 1-6: Yes
Password protect GRUB prompt: No (situation dependent, I´m on a VPS and would like to get support in case I need it)
Password protect su mode: Yes
default-deny on tcp-wrappers and xinetd? No
Ensure telnet doesn´t run? Yes
Ensure FTP does not run? Yes
display authorized use message? No (situation dependent, if you had other users, Yes)
Put limits on system resource usage? Yes
Restrict console access to group of users? Yes (then choose root)
Add additional logging? Yes
Setup remote logging, if you have a remote log host, I don´t so I answered No
Setup process accounting? Yes
Disable acpid? Yes
Deactivate nfs + samba? Yes (situation dependent)
Stop sendmail from running in daemon mode? No (I have this firewalled off, so I´m not concerned)
Deactivate apache? Yes
Disable printing? Yes
TMPDIR/TMP scripts? No (if a multi-user system, yes)
Packet filtering script? Yes
Finished? YES! & reboot
Link the dns resolver nslookup to the anonymizing tor-resolve
We are going to write about Tor (The Onion Router) at the end of our excurs. If you already use Tor, secure up your system by linking nslookup with the DNS-anonymizing resolver tor-resolve:
make a copy of nslookup: cp -f /usr/bin/nslookup /usr/bin/nslookup-save
links nslookup with tor-resolve: ln -sf /usr/bin/tor-resolve /usr/bin/nslookup.
You can do the same for dns-resolving host and dig too.
Notice, that the output of those programs is not the same (but in all cases they do contain the IP for the domain requested).
For programs that do not work past this linking, enter the ip-domain-pairs in /etc/hosts and adjust /etc/nsswitch.conf. Read more about /etc/hosts at the end of our excurs.
At last, think about setting ACL-rights upon these files, see our section for setfacl.
For our "Universal-Linux" (backported sytem) an actual kernel and actual kernel-firmware can be downloaded from PCLinuxOS, a backport of Fedora Core, ROSA, Mageia and Mandriva, http://ftp.pbone.net/mirror/www.pclinuxos.com/pclinuxos/apt/pclinuxos/64bit/RPMS.x86_64/ or https://ftp.nluug.nl/ftp/pub/os/Linux/distr/pclinuxos/pclinuxos/ or https://linux.palemoon.org and other URL. We strongly recommend LONGTERMED kernel-4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)), glibc (el8, pclos) and kernel-firmware (pclos) and kernel-firmware-extra (pclos) and Konqueror (el6) with the intergrated adbocker resp. actual Firefox (ESR, the backported company edition) from http://ftp.scientificlinux.org/linux/scientific/6.9/x86_64/updates/security/ or http://mirror.centos.org/centos/6/updates/x86_64/Packages/ with extensions named on this webside in the following.
After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
Deinstallation of programs (also see section "Updating/Updates"): If sudo, rpcbind, portmapper, sshd SSH-Daemon, rsh, telnet, avahi-daemon or cups-browsed daemon of the CUPS-system is not needed for example, it is possible to deactivate or deinstall them: "dpkg ..." , "rpm -e [nodeps]" source: https://wiki.kairaven.de/open/os/linux/tuxsectune
Quota
Quota limits the memory consumption for a single user and/or group, so that an "overflow" of a volume resp. partition is prevented. For quota the kernal must be configured. If CONFIG_QFMT_V2 is set as modul, kernel modul quota_v2.ko is added to /etc/modules:
sudo echo quota_v2 >>, /etc/modules
For quota following packages have to be installed:
sudo aptitude install quota quotatool
If there is not any quota upon NFS-mounted file systems resp. RPC-quota-server, the service RPC-Remote-Quota-Server can be deactivated:
sudo systemctl disable quotarpc.service # sh /etc/init.d/quota... stop # and disable
In /etc/fstab the mount-options of the /fs file system are added with the options for the usage of journaling quota:
/etc/fstab
/fs /mountpoint ext4 optionen,usrjquota=aquota.usr/grpjquota=aquota.group,jqfmt=vfsv0|1
Use usrjquota for quota of user and/or grpjquota for groups. Volumes with a size of 4TB use quota-format vfsv1.
Finally restart the system, if the file system can not be mounted by the following command:
sudo mount -o remount /mountpoint
More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune
Kernel-configuration
Deactivate as much as possible, that means all modules, that are not needed. The preconfiguration for single user is already set for the everyday life. This might differ from special requirements and development and a backup-kernel should be installed parallely too, if the configuration and the boot fails.
BR>
More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune
We are describing, how to configure and compile the kernel-source in our section for updates.
Blocking of modules
https://wiki.kairaven.de/open/os/linux/tuxsectune (resp. by "blacklist modul-name" within /etc/modules.d).
Dienste mit systemd
Removal and deactivation
Deactive all services, that are not needed. Either deinstall complete packages or, if a deinstallation is not wanted, use systemctl (alternatively: ntsysv, chkconfig or MCC#system-services (mdv2010) for deactivation).
More about security-settings for services by systemd and source: https://wiki.kairaven.de/open/os/linux/tuxsectune .
at & cron
Resrict the users, that are enable to create and modify at (batch) and cron jobs, enable them within /etc/at.allow and /etc/cron.allow by entering them with their login-name line-by-line (only for users, that are enabled).
Hardend compilation
Flags, that can be set for the configure-Script.
Executable
´CFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fPIE -pie -Wl,-z,relro -Wl,-z,now´
Shared Library
´CFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fpic -Wl,-z,relro -Wl,-z,now´
If option "-fpic" does not work, use "-fPIC".
Evtl. deinstall ( rpm -e packagename or rpm -e --nodeps packagename )
rpcbind (el6, mdv2010.2), sudo (el6, mdv2010.2), portmap (el6, mdv2010.2), dayplanner, mmc-agent (mdv2010.2), tracker (mdv2010), codeina (mdv2010), xguest (mdv2010), wu-ftpd (mdv2010), anonftp (mdv), mdkonline (mdv2010), f-spot (does not work on the base of updated mono (rosa2014.1), abrt (el6), funguloids (mdv2010.2), banshee (rosa,mdv) and amarok (rosa,mdv): unavailable for el6, both ones do not work, qmmp (el6, mdv) does not work, lxde (mdv2010, lxpanel tries to get inpredictable root-access).
Start only the processes needed. Use net_applet from NetworkManager and not nm-applet. There might be an error in the skript for NetworkManager. Replace everything except last line in start() with "/usr/bin/NetworkManager --login-level=INFO".
Commercial modules: Linux and the NSA
tgruene, 16.10.2013
Bei dem letzten Newslink über Oracles Versuch, dem DOD den Vorteil kommerzieller Software zu erkläeren, kam mir der Gedanke, dass auf einem.typischen Linuxrechner eine ganze Reihe Module laufen, fuer die kein Quellcode zur Verfuegung steht (die dafür von US-amerikanischen Firmen zur Verfügung gestellt werden und somit vermutlich auch gesetzestreue (aka NSA-freundliche) Hintertüren enthalten), seien es Nvidia/ATI-Treiber, Virtualbox oder unter Debian vermutlich fast der gesamte Inhalt von firmware-linux-nonfree.
Mich interessiert, wie gut der Kernel und die Module voneinander abgeschottet sind - wie leicht ist es, solch einem Modul z.B. einen Keylogger einzubauen, der meine Passwörter beim Tippen abfängt und übers Internet irgendwohin schickt? Dass die NSA meine Emails liest, ist unverschämt, stört mich aber an sich nicht weiter, sonst würde ich ja keine Emails an Leute schreiben, deren Schlüssel ich nicht kenne, doch meinen GPG-Schlüssel und die Passwörter abzuhören - dagegen habe ich ganz ordentlich etwas.
Terminal -> lsmod
/etc/modprobe.d/blacklist*
blacklist mei
blacklist it87 # disabled for Mainboard ASUS ITX-220
blacklist i2c_dev # ITX-220
blacklist coretemp # ITX-220
blacklist snd-usb-audio
blacklist snd_pcm_oss
blacklist snd_mixer_oss
blacklist snd_seq_oss
blacklist pata_acpi
blacklist rivatv
blacklist i82875p_edac
# do not use "Boot Protocol" drivers, we prefer usbhid
# and they cause problems when loaded together with usbhid (#37726, #40861)
blacklist usbkbd
blacklist usbmouse
# disable PC speaker by default
# pcspkr is the standard driver, while snd-pcsp is the ALSA driver
blacklist pcspkr
blacklist snd-pcsp
blacklist pcspkr
blacklist snd-pcsp
blacklist vhost
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
blacklist it87
blacklist i2c_dev
blacklist coretemp
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
# watchdog drivers
blacklist i8xx_tco
# framebuffer drivers
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist i810fb
blacklist cirrusfb
blacklist intelfb
blacklist kyrofb
blacklist i2c-matroxfb
blacklist hgafb
blacklist nvidiafb
blacklist rivafb
blacklist savagefb
blacklist sstfb
blacklist neofb
blacklist tridentfb
blacklist tdfxfb
blacklist virgefb
blacklist vga16fb
blacklist matroxfb_base
# ISDN - see bugs 154799, 159068
blacklist hisax
blacklist hisax_fcpcipnp
Partition-check during each system boot)
This is described later on, but it might be such important, to tell it alrady at this place.
We assume, that the partitions got already encrypted with LUKS/dm-crypt (we are describing later on, how this can be made, if not). But the check will work upon unencrypted ones too. To be careful, we are going to check out partitions with file systems like ext4 each system boot, especially thinking of all the updating with rpm-packages in future.
| tune2fs -c 1 /dev/mapper/cryptedhomepartition |
resp.
| reiserfstune -m 1 /dev/mapper/cryptedroot_resp_home_resp_bootpartition |
resp.
| tune2fs -d 7 /dev/mapper/cryptedroot_resp_home_resp_bootpartition |
For unencrypted and not internal kernel-partitions replace the container-file "/dev/mapper/cryptedhomepartiton" with a device file like /dev/sda1.
Also activate in the device configuration file /etc/fstab the check each boot. Do this line (partition) by line (partition) more or less regarding "priorities&uot; of the check, by setting a positive interger not equal to zero behind the number (zero) for the (deactivated) dump at the end of the line: "0 1" for the root-partition, "0 1" or "0 2" for the home-partition and so on.
An example of the content of /etc/fstab as a whole is given further below.
Apache-Webserver (httpd.conf) (analogous: LAN/Samba (samba.conf, database server/MySQL (my.cnf and mysld.conf) and other server, print-server (CUPS) see end of this website )
Now it is the turn for the webserver, almost Apache httpd 1.3 or 2.0. Basic functions are enriched by many loadable modules.
To see, which modules are really needed, have a look into /etc/apache/httpd.conf (CentOS 6 and CentOS 7: /etc/httpd/httpd.conf):
LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
Superfluos modules can be commented in by "#" plus blank at the very beginning of each line. Apache will work faster and will consumpt less memory the less modules are needed..
Only those modules should be loaded, that are really needed. The kind of server determines, which ones. Nevertheless there are modules, a standard webserver does not need:
* lib_status (presents a server-internal status)
* libproxy (an enormous security risk, as the webserver realizes a proxy for the accesses of other server)
* mod_cgi (to start so-called cgi-scripts. Such scripts are rarely used today as they are one more security risk)
* mod_userdir (generates a web-directory for each user)
In Debian, Apache 2.0 uses the file /etc/apache2/apache2.conf for configuration. All modules symbolically linked in /etc/apache2/mods-enabled are loaded by default. To deactivate such modules, the link has to be deleted.
After the config-files were changed,
apache -t
shows, if the configuration-syntax still is OK.
/etc/init.d/apache restart
oder
/etc/init.d/apache2 restart # C6 (el6): sh /etc/init.d/httpd restart
restarts the server, therewith the changes can take into effect.
Notice, that SuSE makes it the other way. Apache-modules are loaded within the file /etc/sysconfig/apache2. Look out in this file for the line with "APACHE_MODULES" and delete the entries not needed. After this,
SuSEconfig
has to be started out of the shell. Restart Apache by
rcapache2 restart
Get more infos about the task for each module, have a look at
http://httpd.apache.org/docs/1.3/mod/index-bytype.html und
http://httpd.apache.org/docs/2.0/mod/
More reports
Apache: Howto stop unwanted referer, https://www.strassenprogrammierer.de/apache-unerwuenschte-referer-stoppen_tipp_441.html
source. https://www.strassenprogrammierer.de/webserver-absichern-hacker_tipp_479.html
Secure Apache/PHP/Nginx server
Edit httpd.conf file (CentOS: /etc/httpd/conf/httpd.conf) and add the following:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By
Restart the httpd/apache2 server on Linux
You must install and enable mod_security on RHEL/CentOS server. It is recommended that you edit php.ini and secure it too.
https://www.cyberciti.biz/tips/linux-security.html
DDoS-Schutzdienst:
Der DDoS-Schutzdienst ist in der Lage, selbst die komplexesten DDoS-Angriffe abzuwehren.
https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html
https://www.digitalattackmap.com/understanding-ddos/
Lastverteilung:
Der Lastenausgleich geht häufig mit Ausfallsicherheitsmechanismen einher: Indem Sie einen Cluster mit der entsprechenden Kapazität aufbauen und die Anforderungen auf einzelne Systeme verteilen, können Sie die Ausfallsicherheit erhöhen Ausfallsicherheit, wenn der Ausfall eines Systems erkannt wird und die Anforderungen automatisch an ein anderes System gesendet werden.
https://de.wikipedia.org/wiki/Lastverteilung_(Informatik)
https://www.nginx.com/resources/glossary/load-balancing/
HMAC authentication
HMAC stands for keyed-hash message authentication code. A message authentication code protects against the modification of transmitted data by an attacker, who can read the data in real time. TLS use hash values (hence the H in HMAC) out of the numerous possibilities for the reliable authentication of messages.
https://en.wikipedia.org/wiki/HMAC
HMAC Authentication in Web API - Dot Net Tutorials
Understanding the Keys used in HMAC Authentication. Uses of HMAC Authentication in Web API. How does the HMAC Authentication work?
https://dotnettutorials.net/lesson/hmac-authentication-web-api/
What is HMAC authentication and how does it make VPN safer?
HMAC stands for hashed message authentication code and is an important factor in VPN security. Learn why strong HMAC auth matters for VPN security.
https://protonvpn.com/blog/hmac-authentication/
Station-to-Station (STS) protocol, Cipher Block Chaining:
CBC stands for Cipher Block Chaining, which is every message depending on the previous passes. So can yourself short interruptions of the channel can be quickly noticed. Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange A symmetric encryption scheme is used, the key of which is the negotiation of Diffie-Hellman key exchanges with elliptic curves. The server and the app use intelligent math to negotiate and verify the secret key, which is then used to encrypt the data for the entire session. Station-to-Station (STS) protocol: https://en.wikipedia.org/wiki/Station-to-Station_protocol In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the parties have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks. In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC
Pretty Good Privacy
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added
to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy
Perfect Forward Secrecy
With Perfect Forward Secrecy, even if a dedicated opponent is somehow able to attack the computer or server during a session, they will not be able to decrypt traffic from past sessions. The provider uses namely with each connection a new secret key. Even if you remain connected to the Server for a long period of time, the provider automatically changes the key every 60 minutes. This key renewal process every 60 minutes guarantees "Forward Secrecy". So if an attacker succeeds in compromising the key, in the worst case scenario, he could track the data for up to 60 minutes. Then everything is secret again.
https://en.wikipedia.org/wiki/Forward_secrecy
Shadowsocks SOCKS5 proxy (all servers) Shadowsocks Proxy can be used by the provider through the application (Mac OS X, Windows, Linux, iOS, Android, Windows 10 Mobile). In addition, there is an advantage that "shadow socks" can not even be blocked in highly restrictive networks.
https://shadowsocks.org/en/index.html
Smart DNS Proxy (all servers)
There are currently two common ways to circumvent geo-blocks of foreign video-on-demand services such as Hulu, Netflix or Vudu. The first way is to use SmartDNS services. The term SmartDNS hides on innovative technology that has been specifically designed to bypass the geo-blocking barrier. To configure the SmartDNS service, there is only a minimal change to the TCP/IP properties of the network connection. Then, the user can freely use many suspended streaming services regardless of their current whereabouts.
http://www.unblock.ch/smart-dns-anbieter/
DNS-Leak:
Eigene DNS-Server ohne Festplatten (RAM-Disk). Zusätzlich werden OpenDNS-Server (IPv6) verwendet (Auswahlmöglichkeit in den Einstellungen). Der Dienst schützt zuverlässig vor dem bekannten DNS-Leck.
https://www.hongkiat.com/blog/creating-ram-drives/
https://www.tomshardware.com/news/what-we-know-ddr5-ram,39079.html
https://www.opendns.com/about/innovations/ipv6/
IP-Leak:
Eine eigene Software verhindert zuverlässig Angriffe bekannter DNS-Leak-Methoden.
WebRTC-Leak:
Der Service schützt zuverlässig vor dem bekannten WebRTC-Leak-Problem.
Speicherschutz-Funktion (Schutz vor Serverausfällen):
Diese Funktion ist in der Lage, den verfügbaren Arbeitsspeicher so aufzuteilen und laufende Programme so voneinander zu trennen, dass ein Programmierfehler oder Absturz eines einzelnen Programms nicht die Stabilität anderer Programme oder des Gesamtsystems beeinträchtigt (Speicherschutz-Mechanismus).
Serverausfall (Schutzmöglichkeiten):
Unterspannungsschutz (UVP)
Überspannungsschutz (OVP)
Kurzschlusssicherung (SCP)
Überlastschutz (OPP)
Überstromschutz (OCP)
Überhitzungsschutz (OTP)
Japanische 105°C Kondensatoren (Lebensdauer vom Netzteil)
Brandmelder (im Serverraum eingebaut)
Diese Schutzfunktionen (Netzteil) können die meisten Serverausfälle verhindern.
Login methods, Two-Factor-Authentification (TOTP)
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.
There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
4096 bit encryption/Eliptic-cuves-cryptography/
Two-Factor-Authentfication/connection (SSL/TLS encryption)/full IPv6
Support/HMAC-Authentifizierung/Cipher Block Chaining/Diffie-Hellman-Schlüsselaustausch/STS-Protokoll (Station-to-Station)/Pretty Good Privacy/Perfect Forward
Secrecy/encryption tool (Cloud Storage/Backup)/Failure Backup-solution/NAT-Firewall/
DDoS-protection/Lastverteilung/DNS-Leak/IP Leak/WebRTC Leak/WebRTC Leak/
Windows Login Leak/Arttifical Intelligence (NeuroRouting™)/Zero-Knowledge-Beweis/
Fiat-Shamir-Protokoll/Schnorr-Identification/SecureCore-function (security kernel)/
4096 bit encryption:
https://www.pcwelt.de/ratgeber/Verschluesselung_-_Was_ist_noch_unknackbar_-Sicherheits-Check-8845011.html
https://www.heise.de/security/artikel/Kryptographie-in-der-IT-Empfehlungen-zu-Verschluesselung-und-Verfahren-3221002.html?seite=all>
https://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography
https://www.heise.de/select/ix/2017/3/1487529933065685
https://www.computerweekly.com/de/definition/Elliptische-Kurven-Kryptografie-Elliptic-Curve-Cryptography-ECC
https://www.globalsign.com/de-de/blog/ecc-101/
https://www.ssl247.de/certificats-ssl/rsa-dsa-ecc
Two-Factor-Authetification(TOTP):
https://de.wikipedia.org/wiki/Zwei-Faktor-Authentisierung
https://www.pcwelt.de/ratgeber/Wichtige_Dienste_per_Zwei-Faktor-Authentifizierung_schuetzen-Sicherheit-8679969.html
https://www.security-insider.de/flexiblere-zwei-faktor-authentifizierung-an-vpns-a-700259/
https://www.security-insider.de/remote-access-vpn-mit-zwei-faktor-authentifizierung-a-389000/
http://www.itseccity.de/produkte-services/it-security/vpn-loesungen/ncp-engineering090315.html
Authenticator-App:
a) FreeOTP Authenticator
b) Authy
c) Microsoft Authenticator
d) LastPass Authenticator
e) Google Authenticator
Kill hack-attempts against the Secure Shell
In order to prevent hundrets of sshd-tasks starting at the same by a hacking attempt, add the line
MaxStartups 3:30:10
into the configuratio file /etc/ssh/sshd_config. This restriction is effective but complicated. The values in the example mean, that 2 (= 1. value minus 1) unauthenticated (and therefore in the Login-state assembled) sshd-connections are always allowed.
A third connection (= 1. value) is blocked by a probability of 30% (second value).
The probaliity of ending a connection is increasing linear, until up from 10 opened (built-up) connections (third value) each attempt to build up a connection is blocked at all at the rate of 100 in percent.
Notice, that useres already logged in do not refer to these values! The values in the example from above should suffer the need for each small and middle-sized server. If there are plenty of SSH-user, higher values might be recommended, for example:
MaxStartups 10:30:50 6
Source: https://www.strassenprogrammierer.de/sicherheit-ssh-hacker_tipp_480.html
Forbid root-access for SSH
Change the ssh-configuration:
nano /etc/ssh/sshd_config
and set
PermitRootLogin no
And to make it most secure, we add the following lines:
# Only permit user admin.
AllowUsers admin
# Generally block root or user of group root:
DenyUsers root
DenyGroups root
This lines can be added at the beginning of the file. Enhance the entry AllowUser, if further on more user are permitted for the SSH-login. New user are separated by a blank and not colon,. for example:
AllowUsers admin user1 user2 user3
Now the ssh-daemon gets started:
service ssh restart
Debian:
/etc/init.d/ssh reload
CentOS: sh /etc/init.d/sshd restart
Now we open a new session and try to login as root. By using the correct password, we get the message:
Access denied
Quelle: https://www.rechenkraft.net/wiki/Root_Server_absichern_(Ubuntu_14.04)
https://linux-scout.de/sicherheit/debian-server-absichern-so-machen-sie-es-richtig/
Secure Linux Server
From Qloc Wiki
Here you find significant basics to secure a Debian/Ubuntu System. Except the tips listed here there are a lot of security precautions to make attacks more difficult.
Generally for all public systems essential services should only be accessible from the outside. Unused services like webserver or MySQL Server should eiteher be inaccessible with the help of iptables-rules or be deactivated.
Summary
1 Secure keywords (passwords)
2 SSH Port: secure up by change
3 Creating SSH-keys
4 Opening of required ports only
5 Prevention of Brute Force Attacks
6 Installing security updates
https://wiki.qloc.de/index.php/Absichern_eines_Linux_Servers
Right here we´d like to mention the server configuration files for many more security settings (like access/login, ACL-access-rights, log, bandwidth and server-ports (now "client"-ports) to open). Also search for adequate modules resp. securing server-extensions.
- Apache: mod_evasive against DDoS, mod_cband as traffic-Cop
- Fail2Ban for the https-vHosts- resp. htaccess authentification
- 24/7 monitoring with SMS alerting through an SMS Gateway via monit
- encrypted backups in two different computer centers
- instead of unencrypted ftp: SFTP. Transfer gets encrypted through sshd.
Configure an ftp-server working with ssl-encryption, it es similar to POP3 and IMAP. Then the transfers get secure, noone can read data.
Forbid anonymous accounts and run the ftp server in a chroot environment. This keeps away most annoynances.
Use ssh instead of ftpd just relying on ssh too.
Normalerweise ist das Verbinden mit einem FTP-Server mit SSL nicht schwieriger als mit einem ohne.
Just configure the ftp-client for the SSL-ecnryption and he will connect. The everyting works like connecting with a ftp-server without SSL. One will be just asked, if the certificate is accespted.
SSH use port 22. It is possible to upload files too, but the user once logged in has the possibility to access the system- except the account is chrooted.
...
https://serversupportforum.de/forum/security/28079-abschottung-wie-geht-es-nun-weiter-2.html
Memory-protection-function (protection against server-breakdowns):
This function is be abled to separate the RAM into areas and distinguish processes the way, that programmers or breakdowns do not affect the stability of other processes or impairs the whole system (RAM-protection).
Server-breakdown-protection:
Low-Voltage-protection (UVP)
Overvoltage-protection (OVP)
Short circuit protection: (SCP)
Overload-protection (OPP)
Over current stream protection (OCP)
Over heat protection (OTP)
Japanese 105 degree condensators (lifetime of the netadapter)
Fire detectors (server room)
Chroot ( Befehl chroot ): is part of commands resp. communication-protocols like mount, ssh, stfp and effects one of the most serious hard threats! Help is given by sandboxes and/or/including the locking of the shells of the user (unfortunately a sandbox only, if a program works upon sandboxes, for example tor-browser does not (but migh have its own one). We are going to talk about this problem!
Chroot and Chroot-Jail (Chroot-Enviroment, Chroot-Sandbox)
https://wiki.debian.org/chroot
Step by step: https://www.linuxwiki.de/chroot
Chroot and Chroot-Jail, debian.org, wikipedia.org
A chroot on Unix operating systems is an operation, that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot system call or the chroot wrapper program. The modified environment is called a chroot jail.
https://wiki.debian.org/chroot
https://en.wikipedia.org/wiki/Chroot
Linux - Keeping users inside their home directory - Super User
If you use chroot like this, everything the user needs (executables, libraries, etc.) has to be within the chrooted directory. I´ve seen ftp-servers set up that way, with static executables copied into a bin directory.
https://superuser.com/questions/396282/keeping-users-inside-their-home-directory
How to configure ProFTPD to chroot users to /home directory or any ...
If you´re using ProFTPD user on a Linux server, you most certainly have wondered, how you can configure the FTP server to chroot (or jail) it´s users to a particular ...
https://www.pc-freak.net/blog/how-to-configure-proftpd-to-chroot-users-to-home-directory-or-any-other-selected-directory-2
Furthermore past the configuration the server can run in a lower, but even more safer runlevel like runlevel 3 (command: "init 3") than common runlevel 5 or 6. mgetty resp. mingetty: terminal-switch ( ALT + CTRL + F1 up to F7), server configuration file (if it is possible there), systemd (sysctl) or chkconfig (to set the runlevel for the server during system boot)
Coreboot - flashing the BIOS: Manufacturer BIOS-replacement by the Linux-System, https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
"System security already defines upon the hardware-level. Even today it might be difficult to find out WLAN-chipsets open source driver are provided. Exceptions like for AR9170 chipset are provided, same for the BIOS.
Idally Coreboot can replace the actual BIOS for a open-source, free BIOS. Otherwise hidden backdoors are risked usable by secret services.
We can be only really "secure", if open-source is used by hard- and software. [...].
Therefore I am urged for the project "hardened Linux" to make an exception and like to repeat, that this project does not protect against directed secret services.
I...] As I wrote with the first article, a secure operating system can only be obtained using Linux resp. Unix."
https://www.coreboot.org/Supported_Motherboards # u.a.
Many BIOS-variants are associated with software failures. Getting rid of them often implies updates from manufacturer. Beneath these unintended restrictions basic approaches exist to implement more functions in proprietary firmware (BIOS resp. UEFI) in future, that make afraid of more conscious restrictions of functionality.
Quelle: https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil2/
https://de.wikipedia.org/wiki/Coreboot
https://www.golem.de/0912/72132.html
With Coreboot the system-startup-time can also be declined.
Copy the Bios-flashing file (.ROM) from manufacturer-DVD into the boot-partition too, in order to get loaded after pressing the function-key or the Bios-setup to flash, if required!
Shorten the boot-time for your Linux rapidly: For grub, exchange the value for the automized election to five or three seconds only.
Initscripts: use systemd or care for a short list through chkconfig by deleting as many scripts out of the list you can find in /etc/init.d as possible, therefore use chkconfig --del. Also repair listed loop-errors of such scripts in that way warned agains during the system-boot.
If you put order into the list of init-scripts, Linux like C6 (CentOS 6) will boot in less than one minute (upon Intel Celeron in less than 20 seconds) even faster than Debian!
Of course more boot time for the typing in of the password for the decryption of the LUKS-encrypted root-partition, the partition-checks and for the boot (startup) of the Desktop Environment at the end of the boot has still to be considered (added)!
Disable any network-connection-build-up, until the system got booted!
hal resp. haldaemon extends the boot-startup-time for C6 (Centos 6) resp. "previous" mdv (2010-2012) until the KDE-login (kdm) without regarding the LUKS-passwort-login and harddisc-check by fsck (we thought of each boot) serious hard from around 20 seconds up to more than one minute ! hal resp. hald (haldaemon) might work faster by creating the file haldaemon within /etc/sysconfig with the follwoing include:
--child-timeout=15 # Begrenzung der Kindprozesse
--daemon=no
In /etc/dbus-1/system.d/hal.conf forbid some up to now allowed methods and devices, eventually like LightSensor and WakeOnLan, and in another subdirectorys haldaemon referring files like *dell-computer* eventually can just be deleted (removed)..
Konfiguration der Netzwerkschnittstelle
/etc/udev/rules.d/70-persistent-net.rules for mainboard ASUS ITX-220
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
# Drakx-net rule for eth0 (cb:ad:b3:81:1a:53)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="cb:ad:b3:81:1a:53",ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="0b:01:ab:ba:3b:15", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
First entry configures the interface as we hope NAME="eth0" for udev for the original mac-address in ATTR..., this is not the mac-address renewed by macchanger within /etc/rc.local later on, else set this exchanged one (renewed by macchanger already at this place), the second entry configures the PCI-interface of ITX-220 for, as we hope, NAME="eth1". This PCI-entry, or both entries, might be automatically generated by udev. Lookout, that belonging NAME is always eth0 is always the NAME in the first case (first entry) and eth1 in the last case (second entry) (and never eth0).
ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=no
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes
DNS1=127.0.0.1
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=yes
DHCP_CLIENT=dhclient -4 -cf /etc/dhcp/dhclient.conf eth0
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no
TYPE=Ethernet
IPADDR=0.0.0.0
MACADDR=e1:a0:b0:cd:a1:b8 # original OR "black masked" hardware address (ethernet-card): Try /etc/rc.local. "macchanger --mac e1:a0:b0:cd:a1:b8 eth0" and set in Linfw3 "your IP" to the by this mac-address new resp. origin pregiven one (local IP) next (or past) the connection-build-up. The computer (system) might break down after all these changes, but after some newstarts, the system will gain its old´n good stability right back.
More network troubleshooting:
https://www.pcwelt.de/a/wlan-probleme-so-loesen-sie-typische-aergernisse,3389115
https://www.pcwelt.de/ratgeber/Fehlersuche-im-Netzwerk-LAN-WLAN-1953158.html
Intall the actual netprofile (rpm: omv2015, pclos, rosa2014.1) only; never choose other (elder) buggish versions!
If the interface is eth0 only, delete the following files:
rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
...
Remove all other interfaces except eth0 from drbl.conf, choose eth0 only, if eth0 is the net-interface
drbl.conf
nano cd /etc/drbl/drbl.conf
There should be only one interface named eth0 be configured, even shown in MCC. If the net-adapter does not build up the connection, look out for all passages in files with eth not valued zero like eth1, eth2 and so on! Use grep -R to find such files and remove them (such passages)! Update dhclient (el6) and netprofile including all netprofile-plugins to netprofile (rosa2016.1, omv4)! If there are still problems, have a hort time to plug out the net adapter of the DSL-Modem to plug it in again for a new connection build-up with the DSL-provider. Now the net adapter should work fine and, as we hope forever!
Netz-Aliase
/etc/networks
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0 # link-local 169.254.0.0 # In a computer network, a link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are most often assigned automatically through a process known as stateless address autoconfiguration or link-local address autoconfiguration. Link-local addresses are not guaranteed to be unique beyond a single network segment. Routers therefore do not forward packets with link-local addresses.
For protocols that have only link-local addresses, such as Ethernet,[dubious - discuss] hardware addresses assigned by manufacturers in networking elements are unique, consisting of a vendor identification and a serial identifier.
Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation. In IPv6, they are assigned the address block fe80::/10, https://en.wikipedia.org/wiki/Link-local_address.
Preload-acceleration
The Tool Preload accelerates not the boot time, but program starts or autostarts (under "Start programs"), that are used often or regulary awaiting past each system login. This simple service protcols the program favorites and loads them into the RAM right before. The program start accelerates by this. Preload is obtainable as rpm and deb packet.
A manual configuration is not essential, but possible ("/etc/preload.conf") (start preload for example within /etc/rc.local)
https://www.pcwelt.de/ratgeber/Schneller_Linux-Start_ueber_Systemd_-_so_geht_s-Dienste_optimieren-8259105.html
rkhunter, chkrootkit, Lynis - security check
With lynis an audit can simply be made:
su
lynis audit system --quick
After the first run one gets confronted with the total result named "Hardening index". "Warnings" and "Suggestions" howto secure resp. harden the system are shown during the scrolling.
https://www.kuketz-blog.de/linux-systemhaertung-basis-linux-haerten-teil2/
Delete X Windows on server
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:
# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"
https://www.cyberciti.biz/tips/linux-security.html
X-Server: Howto secure up: Host- and cookie-based access
he number 1 rated high risk system vulnerability noted by the recent ISS audit of BNL was the use of "xhost +" or an open X display. Using "xhost +" allows anyone the ability to watch your keystrokes, capture windows and insert command strings into your windows. This situation is particularly bad when you have root access to a machine. There is no legitimate reason to run "xhost +". Most people will be using ssh to make their connections to other machines than their desktop and ssh tunnels X11 traffic, eliminating any need for "xhost +". To use turn on X11 forwarding with ssh call it like:
ssh -X host.domain
This can be turned on by default by adding the following to DOLLARSIGNHOME/.ssh/config:
Host *.bnl.gov
ForwardX11 yes
Make sure of the following things:
You should not set your DISPLAY variable, ssh will do it for you. It will look something like:
echo DOLLARSIGNDISPLAY
localhost:12.0
X11 forwarding must be allowed by the SSH server. Check /etc/ssh/sshd_config for a line saying "X11Forwarding yes".
On Linux/UNIX machines, the "xhost +" command can be issued at many locations, so you will have to remember, where you did it or find the location to turn it off (I believe that all recent version of the Linux X server have "xhost -" as the default). If you cannot find where the "xhost +" command is issued, adding a call to "xhost -" somewhere will turn it off.
Some of the most common files where you can find the "xhost +" command are in the X11 startup files. These file are
DOLLARSIGNHOME/.Xclients
DOLLARSIGNHOME/.Xclients.gnome
DOLLARSIGNHOME/.Xclients.kde
DOLLARSIGNHOME/.xinitrc
DOLLARSIGNHOMN/.xsession
/etc/X11/xinit/xinitrc
/usr/X11R6/bin/startx
/usr/X11R6/lib/X11/xdm/Xsession
Also, doing a man xinit will give you more information on startup files which are executed when one starts up X11.
If you want to test to see whether you have fixed the "xhost +" problem on your systems, log into another unix computer, disable the ssh X11 encryption channel by resetting the DOLLARSIGNDISPLAY environment variable back to the server port 0 of your desktop, and then try starting up an xclock. For example, type the following commands
ssh youraccount@yourfavoritunixserver.phy.bnl.gov
setenv DISPLAY yourdesktop.phy.bnl.gov:0
xclock
If an xclock pops up on your screen, you still have not properly enabled X11 access control. You should contact your computer liaison for further assistance.
Xterminals
To enable access control (set xhost -) on Tektronix Xterminals bring up the "Setup" menu (F3 key). In the "Configuration Summaries" pull down menu select "X Environment". On the X Environment page toggle "Enable Access Control" to "Yes". Return to the Main Menu and then "Save Settings to NVRAM". The terminal will now reject all X connections except those coming from the machine you connect to via XDM and those coming through tunnels to you XDM host created when you ssh to another machine. If you run "xhost +" on the XDM host, then you will again disable access control, so you should make sure that you do not do this in any of the X setup files (see the UNIX discussion above).
The following is an e-mail from Ofer Rind, who tells us how to enable X11 authentication on NCD Xterminals. Thanks Ofer for you post.
-----------
-
Disabling Xhost+ on an Xterminal
(NB: This was tried on both NCD and Textronix Xterminals and seemed to work; however, your mileage may vary. The description is for an NCD.)
Press Alt-F3 to pull up the Xterminal control bar. Select "Change Setup Parameters" from the "Setup" menu. When the setup parameters window pops up, select "Access Control." This will expand the menu, revealing an option called "Enable Access Control." Turn this on by pressing the adjacent square. Then, at the bottom of setup window, press the "Apply"
button to effect the change. This sometimes takes several seconds, be patient. When the arrow cursor returns, close the setup window and return to your previously scheduled program. X access control should now (hopefully) be enabled. NOTE that this access control can be superseded by a user who logs in on the Xterm and sets "xhost +".
Quelle: http://www.phy.bnl.gov/cybersecurity/old/xhost_plus.html
So our settings typed in terminal and /etc/rc.local after login to superuser by command "su" are (reset by "xhost +" on problems past the login):
xhost -
xhost +si:localuser:local-username
xhost +si:localuser:lokaler-Benutzername# lokaler-Benutzername: nur user, d.h. alle anderen Benutzer sind gesperrt, darunter Benutzer root, surfuser und toruser
xhost -si:localuser:root # bereits mit "xhost -"
xhost -si:localuser:toruser # bereits mit "xhost -"
xhost -si:localuser:surfuser # bereits mit "xhost -"
xhost -inet6:user@ # Das @-Zeichen muss bei inet6 (IPv6) im Unterschied zu si hinter dem Benutzernamen user stehen.
xhost -nis:user@ # nis: Secure RPC network
Output of command xhost:
access control enabled, only authorized clients can connect
SI:localuser:local-username
Do not set it for any other user, even NOT root! These simple two rules (for example in /etc/rc.local) make the system once more mouseclick-fast..
X-Server, cookie-based access: MIT-MAGIC-COOKIE-1
When using xdm (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1.
A 128-bit "cookie" is generated and stored in your .Xauthority file. If you need to allow a remote machine access to your display, you can use the xauth command and the information in your .Xauthority file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at
http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html.
Cookie-based access
The cookie-based authorization methods are based on choosing a magic cookie (an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connection to the server.
These cookies are created by a separate program and stored in the file .Xauthority in the user´s home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on Unix-like platforms, scp can be used to copy the cookie.
The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a secret key is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server.
The xauth application is a utility for accessing the .Xauthority file. The environment variable XAUTHORITY can be defined to override the name and location of that cookie file.
The Inter-Client Exchange (ICE) Protocol implemented by the Inter-Client Exchange Library for direct communication between X11 clients uses the same MIT-MAGIC-COOKIE-1 authentication method, but has its own iceauth utility for accessing its own .ICEauthority file, the location of which can be overridden with the environment variable ICEAUTHORITY. ICE is used, for example, by DCOP and the X Session Management protocol (XSMP).
https://en.wikipedia.org/wiki/X_Window_authorization
Fetch the magic cookie entry relevant to your local display:
[garth@server1 ~]DOLLARSIGN echo xauth add xauth list DOLLARSIGN{DISPLAY#localhost}
xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
Switch user to "oracle" and add the entry into your /home/oracle/.Xauthority file (by copying the ‘xauth add…´ line from above:
[garth@server1 ~]DOLLARSIGN sudo su - oracle
[oracle@server1 garth]DOLLARSIGN echo DOLLARSIGNDISPLAY
localhost:12.0
[oracle@server1 garth]DOLLARSIGN xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
xauth: creating new authority file /home/oracle/.Xauthority
After this your X-session should work…try something like "xcalc" or "firefox" to test it first and you should be ready to go!
http://www.snapdba.com/2013/02/ssh-x-11-forwarding-and-magic-cookies/
Also use ssh to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network.
Also disable any remote connections to your X server by using the ´-nolisten tcp´ option to your X server. This will prevent any network connections to your server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe bet is to use xdm to login to your console and then use ssh to go to remote sites on which you wish to run X programs.
http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698
kdm: /usr/share/config/kdm/kdmrc
...
AllowNullPasswd=false
AllowRootLogin=false
AllowShutdown=None
AutoReLogin=false
...
ServerArgsLocal=-deferglyphs 16 -nolisten tcp
...
X11: Graphic card adjustments, especially for opengl- and SDL-games
Adjustment influences system and graphic card.
BIOS-Setup: Northbridge -> COMBO-mode
Start driconf (hardware see data sheed)
Activate:
1) performance
+ synchronisation follows the verticale frequency rate, so that programs choose the minimal one
+ buffer object reuse: Enable reuse of all size of buffered objects
2 ) display (screen) quality
+ activate S3TC texture compression, even if unsupported by software
3) on failures
+ activate the immediate emptyting of the batch buffer each call for char
+ activate the immediate empying of the GPU-buffer
+ disable throttling on first batch after flush
+ force GLSL extension default behavior to "warn"
+ disable backslash-based line continuation in GLSL-source
+ disable dual source blending
+ perform code generation at shader link time
Deny administrative remote access
/etc/security/access.conf should be changed the way, that a remote access into an administrative account becomes impossible. By this user have to start the program su (or sudo) for administrative rights, so that there is always a track to check.
Add the following line into /etc/security/access.conf:
-:wheel:ALL EXCEPT LOCAL
Do not forget to activate pam-module each service (or the standard configuration), if you want changings within /etc/security/access.conf get noticed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html
How to Check Password Expiration of User
In Linux, user´s passwords are stored in ´/etc/shadow´ file in encrypted format. To check password expiration of user´s, you need to use ´chage´ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password.
To view any existing user´s aging information such as expiry date and time, use the following command.
#chage -l username
To change password aging of any user, use the following command.
#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName
Parameters
-M Set maximum number of days
-m Set minimum number of days
Quelle: https://www.tecmint.com/linux-server-hardening-security-tips/
Checking Accounts for Empty Passwords
Any account having an empty password means its opened for unauthorized access to anyone on the web and it´s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.
cat /etc/shadow | awk -F: ´(DOLLARSIGN2==""){print DOLLARSIGN1}´
https://www.tecmint.com/linux-server-hardening-security-tips/
Keep a (daily) watch onlog-files (for example with logwatch) as much as the last logins in /var/log/lastlog
With the help of the command lastlog the content from /var/log/lastlog can be transferred into a readable format.
https://www.stefanux.de/wiki/doku.php/linux/hardening
Services should not run as root-processes
deactivate services not needed (smalling the place for attacks): check out opened ports
netstat -lnptu
Internetsuperserver
veralteter inetd noch nötig?
xinetd sicher konfigurieren
(gefährdete) Dienste absichern:
nur auf einer bestimmten IP lauschen, auf andere Ports wechseln
evtl. Port-knocking einsetzen (Beispiel SSH)
Bind mit chroot
sicheren FTP-Server einsetzen: vsftp oder pure-ftpd
unsichere Dienste nicht für kritische Aufgaben (Login) zulassen:
FTP
Telnet
veraltete r-Dienste (rsh, rlogin, …)
nur notwendige Benutzerkonten einrichten
regelmäßig die Passwörter der Benutzer auf unsichere Passwörter überprüfen
leere Passwörter nicht erlauben
Kernel absichern
eigenen (minimalen) Kernel bauen
Integritätschecker, z.B. tripwire als cronjob laufen lassen. Die Signaturen sollten auf einem sicheren Drittsystem gelagert werden bzw. read-only gemountet sein (z. B. auf einer CD oder Diskette mit Schreibschutz)
Die Benutzung von Shadow ist meist schon aktiviert (shadowconfig on)
Protokolle (Logfiles) sichern:
Loghost einrichten oder
Logfiles absichern: Mit Secure Logging von Core-Wisdom können Sie Logfiles auch in mySQL-Datenbanken ablegen oder per Fingerabdruck gegen Veränderung sichern.
msyslogd oder
logrotate → Log per mail
regelmäßig nach suid-Programme suchen:
automatisch mit Programmen:
sxid schickt eine tägliche Report über dazugekommene suid/sgid per mail zu
manuell:
root-suids:
find / -perm -4000 2>/dev/null
allgemein suids:
find / -perm +6000
sgid-programme:
find / -perm -2000 2>/dev/null
volle Ausgabe mit allen Rechten bekommt man mit:
ls -lad --full-time ´find / -perm +6000´
Banner (Versionsnummern etc.) von Diensten abschalten
in /etc/motd die Kernelversion nicht anzeigen lassen, stattdessen Warnungen für Angreifer
SSH: Im Sourcecode
Webserver:
Logfiles studieren
Monitoring betreiben
Source: https://www.stefanux.de/wiki/doku.php/linux/hardening
SVGA
SVGAlib programs are typically SUID-root in order to access all your Linux machine´s video hardware. This makes them very dangerous. If they crash, you typically need to reboot your machine to get a usable console back. Make sure any SVGA programs you are running are authentic and can at least be somewhat trusted. Even better, don´t run them at all.
Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698
GGI (Generic Graphics Interface project)
The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse login program running on your console.
http://synergy.caltech.edu/~ggi/
Source: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698
Disable USB stick to detect (recommended for companies etc.)
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ´/etc/modprobe.d/no-usb´ and adding below line will not detect USB
storage.
install usb-storage /bin/true
https://www.tecmint.com/linux-server-hardening-security-tips/
Disbale USB/firewire/thunderbolt-devices
echo ";install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo ";blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.
https://www.cyberciti.biz/tips/linux-security.html
System-Banner
Formulate any "welcome"-text after the login into the server on the system in /usr/lib/issue.net to make unwanted users really think, if to proceed or if it would be better to log out or get away..
How to Spoof a MAC Address (identifying hardware address of the ethernet card) permanently
[...] A 48-bit MAC address (e.g., 08:4f:b5:05:56:a0) is a globally unique identifier associated with a physical network interface, which is assigned by a manufacturer of the corresponding network interface card. Higher 24 bits in a MAC address (also known as OUI or "Organizationally Unique Identifier") uniquely identify the organization which has issued the MAC address, so that there is no conflict among all existing MAC addresses.
While a MAC address is a manufacturer-assigned hardware address, it can actually be modified by a user. This practice is often called "MAC address spoofing." In this tutorial, I am going to show how to spoof the MAC address of a network interface on Linux.
Why Spoof a MAC Address?
There could be several technical reasons you may want to change a MAC address. Some ISPs authenticate a subscriber´s Internet connection via the MAC address of their home router. Suppose your router is just broken in such a scenario. While your ISP re-establishes your Internet access with a new router, you could temporarily restore the Internet access by changing the MAC address of your computer to that of the broken router.
Many DHCP servers lease IP addresses based on MAC addresses. Suppose for any reason you need to get a different IP address via DHCP than the current one you have. Then you could spoof your MAC address to get a new IP address via DHCP, instead of waiting for the current DHCP lease to expire who knows when.
Technical reasons aside, there are also legitimate privacy and security reasons why you wish to hide your real MAC address. Unlike your layer-3 IP address which can change depending on the networks you are connected to, your MAC address can uniquely identify you wherever you go. Call me a paranoid, but you know what this means to your privacy. There is also an exploit known as piggybacking, where a hacker snoops on your MAC address on a public WiFi network, and attempts to impersonate you using your MAC address while you are away.
[...] If you want to spoof your MAC address permanently across reboots, you can specify the spoofed MAC address in interface configuration files. For example, if you want to change the MAC address of eth0, do the following.
macchanger: Some things have to be done: "macchanger -r eth0" suggests a random MAC-address to add into /etc/rc.local (by "macchanger --mac new-MAC-address eth0"), same in /etc/sysconfig/network-scripts/ifcfg-eth0 and change the by this new obtained, local IP in LINFW3 (Dialog -> NONYESNO -> own IP), eventually restart the system.
On Fedora, CentOS or RHEL:
nano /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
MACADDR=00:00:00:00:00:01
Alternatively, you can create a custom startup script in /etc/NetworkManager/dispatcher.d as follows, especially if you are using Network Manager. I assume that you already installed macchanger.
nano /etc/NetworkManager/dispatcher.d/000-changemac
#!/bin/bash
case "DOLLARSIGN2" in
up)
macchanger --mac=00:00:00:00:00:01 "DOLLARSIGN1"
;;
esac
... or macchanger -r "DOLLARSIGN1"
Quelle: https://xmodulo.com/spoof-mac-address-network-interface-linux.html
This might depend on the hardware. "macchanger -r eth0" can be started at the end of a dialin-script like /usr/sbin/ifup or ifup-eth too for example. The same is possible by ifconfig.
If all this does not function, try same or similar command manually by terminal after the dialin.
Find out the actual set MAC- resp. MAC-Fake-Adresse by
macchanger -s eth0 or
ifconfig
Adjustments within /etc/sysctl/network-scripts/ifcfg-eth0
DEVICE=eth0
# MACADRESS=....
BOOTPROTO=dhcp
ONBOOT=no # automized dialin each boot
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes # user are allowed to configure the dialin and to dial in itself
DNS1=127.0.0.1
DNS2=203.13.81.14
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no # perfer IPv4 with dynamic (changing) IP
IPV6TO4INIT=no
ACCOUNTING=no
DHCP_CLIENT=dhclient
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no
Resolver configuration file
File /etc/host.conf contains special information, how to configure the resolver library with a configuration keyword each line, followed by belonging configuration information.
/etc/host.conf
order hosts,bind
multi on
reorder on
nospoof on
spoofalert on
Quelle: man host.conf
NetworkManager-Configuration by /etc/NetworkManager/NetworkManager.conf:
[main]
dns=none
plugins=keyfile
dhcp=dhclient
rc-manager=unmanaged
[ifupdown]
managed=false
[logging]
level=error
domains=none
More (secure) configurations of he NetworkManager by NetworkManager.conf see https://developer.gnome.org/NetworkManager/1.11/NetworkManager.conf.html
Deactivate NIS
... in order to avoid password-sharing. For this, LDAP is recommended.
Sicheres finger
Es gibt viele finger-Daemon, als besonders sicher gilt ffingerd. Hier kann die Anzahl der zur selben Zeit laufenden Prozesse und die Anzahl der darauf zugreifenden Hosts limitiert und das verfügbare Interface eingegrenzt werden.
Sichere Nutzung von PCs unter Ubuntu (und andere, Anm., Gooken)- für kleine Unternehmen und Selbstständige v2.0 (PDF, 189KB, Datei ist barrierefrei⁄barrierearm), BSI, 01.08.2018
https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_009.html
Guidance
EUD Security Guidance: Ubuntu 18.04 LTS
Created: 24 Jul 2018
Updated: 24 Jul 2018
https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
paxctld von grsecurity.net (Aufruf paxctld in /etc/rc.local mit "paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld"
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart
/etc/paxctld.conf (allowed is s,r,p,m and E)
e,E - https://pax.grsecurity.net/docs/emutramp.txt
m,M - http://pax.grsecurity.net/docs/mprotect.txt
p,P - http://pax.grsecurity.net/docs/pageexec.txt
r,R - http://pax.grsecurity.net/docs/randmmap.txt
s,S - http://pax.grsecurity.net/docs/segmexec.txt
https://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities
#gdb
# /usr/bin/gdb srpm
# steam
# /usr/lib32/ld-linux.so.2 m
# /usr/lib64/ld-linux.so.2 m
# node
# /usr/bin/node m
# /usr/bin/perf m
# firefox
# /usr/lib64/firefox/firefox m
# /usr/lib64/palemoon/palemoon m
# tor-browser
# /home/toruser/tor*/Browser/firefox m
# /usr/lib64/thunderbird/thunderbird m
# oxide
/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m
# valgrind
/usr/bin/valgrind m
# python
/usr/bin/python E
/usr/bin/python2.6 E
/usr/bin/python2.7 E
/usr/bin/python3.2mu E
# java
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java m
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-8-openjdk/jre/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/jre/bin/java m
# /usr/lib/jvm/zulu-8-amd64/bin/java m
# openrc
/lib/rc/bin/lsb2rcconf E
# tuned
# /usr/sbin/tuned m
# libreoffice
# Ubuntu doesn´t seem to carry this patch:
# https://bz.apache.org/ooo/show_bug.cgi?id=80816
# libreoffice will still run fine without the below line,
# but it will report an RWX mprotect attempt
# /usr/lib/libreoffice/program/soffice.bin m
Lock virtual consoles except tty7 by default
/etc/inittab, comment in:
...
# Run gettys in standard runlevels
#1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
...
Start as few root-processes as possible!
Remaining essential root-processes except those started by kernel (kthreadd):
init
X # xhost-access-control or run in usermode, see https://wiki.gentoo.org/wiki/Non_root_Xorg, and X with option "--nolisten tcp" (by default, check it out by pressing keys ESC + STRL and moving mouse over process X; configuration for X: /etc/X11/xorg.conf section "ServerLayout")
hald # makes acpid superfluosly
console-kit-daemon # needed only for the login, timeout possible
wpa-supplicant # part of NetworkManager
psad # or iptables: psd, port-scan-detection; start only with securing options like --no-rdns, --no-whois and --no-snort-sids
udevd # devices and interfaces
kdm
syslogd
klogd
gpm
cupsd
dhclient # or dhcpd etc.
pam_timestamp_c
master
spamd # alternatively try bogofilter for example always running in usermode
Lost or forgotten password, no access onto the system?
The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to lilo and your system´s BIOS.
If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery.
Once you have enabled booting from a CD-ROM or diskette enable, try the following:
Boot-up from a rescue disk and start the kernel
Go to the virtual console (Alt+F2)
Mount the hard disk where your /root is
Edit (Debian 2.2 rescue disk comes with the editor ae, and Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line:
root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)
to:
root::XXXX:X:XXXX:X:::
This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html
Checking file system integrity
Are you sure /bin/login on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?
The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you´re on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries.
Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read Do periodic integrity checks, Section 10.2 and Taking a snapshot of the system, Section 4.19.
You might want to use locate to index the whole filesystem, if so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change its behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace locate with the package slocate. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using slocate, the user only sees the actually accessible files and you can exclude any files or directories on the system. The slocate package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. slocate doesn´t let them see new files; it filters the output based on your UID.
You might want to use bsign or elfsign. elfsign provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. bsign uses GPG, elfsign uses PKI (X.509) certificates (OpenSSL).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
Solution: encryption of the root-partition, see Full System Encryption (FSE)
Lifetime hardware, conductor pathes: secured contacts on graphic cards, boards and platines
Sounds like it is our last advice (but of course it isn´t), not to forget to put some chalk into the computer tower inside. The trick is to keep contacts on mainboard including graphic-chip resp. graphic card and other electronic devices always rust-proof and save from moisture!
Remove online accounts of internet service provider
Phishing, profiling, spam, data handling, investigations by law, organized criminality, secret agencies, ad networks, large server farms, artificial intelligence, social bots, hacks, doxxing, honeypots, man-in-the-middle-attacks, ...: Before starting with the installation of "Universal Linux 2010" resp. before going to update programs and system, try to remove as much online-accounts as possible, that means as making sense for you: social media, Google, paypal, online banking, online shopping, ... This might become quit difficult: So read out belonging manuals and follow the instructions. For still existing accounts security settings should be made serious hard after the logins into the online portals.
Allround-protection through iptables-firewall Linfw3
Linfw3 can be downloaded during further below. With Linfw3 all hacker and all trojans can be blocked, if only the user like surfuser within a group like surfgroup are allowed the password protected start of processes going online into the net. Even superuser root resp. uid 0 belongs to all the user, who are not allowed going online, only processes started by (surfuser) of group (surfgroup). By this, programs can go online in a very easy way, after belonging ports once got opened in Linfw3. This is the main advantage. The next advantage: All passwords except the ones for the LUKS-encrypted root partition get irrelevant - even if others know them! The access rights for files should be set local for each user only onto <=700 ( what can be done automatically per "umask 077" within /etc/fstab, manually by chmod or graphically through the context menu). The last risk remains in the Chrooting, settings by msec like "Forbid root-access", "Forbid extern access for root/forbid chrooting" and/or Sandbox firejail prevent by locking the consoles of the user accounts (including root (uid 0, gid 0), but except surfuser). Even the shell-login of all system- and user-accounts except surfuser can be restricted to /sbin/nologin too - no login possible. This can be done with msec_gui or by a special UNIX/Linux-(bash-)command). ACL-access-control (request by getfacl, settings by setfacl) can restrict processes owned (started) by surfuser access on all kind of (exectuable) files too. Scripts over once opened (established) net-connections can be blocked by Firefox-Extensions ABP, noscript and RequestPolicyBlockedContinued resp. Firefox >= 64 with mechanisms against Cross-Site-Tracking/-Scripting and all other kind of tracking. Beneath this, the Port-Scan-Detektor psad or psd of iptables activated by Linfw3 does its best too! And do not forget FSE (Full System Encryption by LUKS/dm-crypt) thinking of the command mount and therefore also cryptsetup (LUKS) including such chroot... All in all the remaining risk is given only by the started root-processes from kernel from the house Linus Tovalds, although they get blocked by Linfw3 too as long as owned by root by the way already depicted. Especially one root-process envokes some distrust - X (the X-Server, including the graphic card driver), but X can be restricted by own ACl through the command xhost as described in some points from above. There it is described, howto start X with option "-nolisten tcp" and that X can also be started in normal usermode. To get total paranoid, MAC (control resp. restriction of process interaction) might interest too - but that really mustn´t.
This excurs specifies Linfw3, firejail, ACL-Access Control Lists, MAC, Intrusion Detection Systems (IDS, if needed), important Firefox-Extensions upon opened connections and further methods later on, past the section for updating.
Regardless from all Linux-distributions, one and the same Linux gets installed package by package, although this might not possible for each distribution as a fault of their specific architectures (library-structure and so on).
We would prefer the most complete Linux by electing certain distributions getting mixed to call it slackware either by installing a brandnew distribution to mix it up after getting updated or by the backport concept we are going to describe here.
Linux resp. (backported) "Universal-Linux" can origin in mdv2010.1 for example. It is updated long-termed and consequently with Fedora Project (fc), especially CentOS 6 (el6) and CentOS 7 (el7) resp. Scientific Linux (sl6/el6, sl7/el7) and fc -> EPEL (el6, el7) and other el6/sl6 and el7/sl7, where each source package is listed directly under the binary one on pkgs.org. It finally managed to stop leaving rubbish over rubbish of packages from all the outworn over outworn distribution behind. The speciality for the backport-concept is, that almost one and the same version with its own releases get patched over patched in many cases for the same version by new releases, what is marked in the rpm-package name behind the point at the end of the package name, until the intern code does its work stable and secure. So one and the same package-version of the same release got fixed resp. picked out and overworked and overworked until security and functionality (as amost the best sign for security) are given, leading to new releases to one and the same versions. Nevertheless the version might differ resp. change in some, quit seldom cases too.
Secure Programming HOWTO, David A. Wheeler, 2015-09-19
This book provides a set of design and implementation guidelines for writing secure programs. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. It especially covers Linux and Unix based systems, but much of its material applies to any system. For a current version of the book, see http://www.dwheeler.com/secure-programs
https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
SuSE:
Suse Doc: Deployment Guide - Backporting Source Code
SUSE uses backports extensively. The information in this section helps you understand, why it can be deceptive to compare version numbers in order to judge ...
www.suse.com/documentation/sled11/book_sle_deployment/data/sec_update_backports.html
Debian:
Debian richtet neues Backports-Repositorium ein - Pro-Linux
Mit dem neuen Repositorium "lenny-backports-sloppy" stehen Debian-Anwendern künftig aktualisierte Programme ohne große Risiken und Mühen zur Verfügung.
www.pro-linux.de/news/1/16241/debian-richtet-neues-backports-repositorium-ein.html
This backporting is provided for CentOS for more than 10 years (CentOS 6: from year 2010 until year 2026), accompanied by CentOS 7 (until 2027).
Installed Linux can be completed to talk about this one and only Linux by installing packages from many other distributions too.
You can read more about CentOS and this fact in our section for Updates.
Alternatively you can order this complete mdv2010 already in an FSE-encrypted form (full system encryption by dracut and LUKS) preinstalled on SSD, where all updates past the update expiration time of mdv2010 including those from CentOS el7 and el6 are already installed. Now, just unpack the tarball of an actual Firefox (actual or actual ESR, extended security release from CentOS or Rosalabs) and Thunderbird (actual ESR (el6, el7)) into a directory like /usr/lib64/firefox-any-name and /usr/lib64/thunderbird-any-name and link the executable files /usr/bin/firefox by the command "ln -sf /usr/lib64/firefox-any-name/firefox-bin /usr/bin/firefox" to update firefox in future following the firefox-INFO-menu. We are going to describe the update of Firefox (and Konqueror) explicitly further below. At last you care for a more or less actual GNU C standard library (glibc(pclos)), for this purpose we tested mga6, ver. 2.22-29 form 17. June 2018. Of course all already installed glibc-packages can be upgraded to mga6 (2.22-29) or higher) or main glibc-package (mga6) with all other glibc-packages coming from el6.
We decided us for kernel 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) on the base of the GNU C Standard Library glibc-2.31 (pclos), glibc-2.22 (mga6) out of:
glibc (el8, pclos, mga6), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2016.1, rosa2014.1), compat-glibc (el6), glib2.0-common (pclos, el6), glibc-i18ndata (pclos, mga6), glibc-headers (pclos, el6), glibc-static (el6), glibc-utils (pclos, mga6), glibc-profile (pclos, mga6), glibc-glibc_lsb (rosa2016.1, rosa2014.1), locales (pclos, mga6), glib2 (el6), prelink (mga6, mga7, mga5, pclos, rosa2016.1, rosa2014.1), lib64stdc++ (pclos, mga6) or (and this is our tested-well choice:) glibc complete mga6 or: glibc (pclos, mga6 main glibc, rest-rpm: el6), libstdc++ (mga6), libsigc++ (mga6)
In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.
additionally, but be careful, miroplayer (el6) and the MCC-printer-administration might not work anymore: lib64glib2 (rosa2014.1), lib64gio2 (rosa2014.1), lib64gobjet2 (rosa2014.1), lib64gmodule2 (rosa2014.1). If they do not, reinstall glib2 (el6) and glib2.0-common (el6).
You can get all such glibc-packages from pkgs.org and rpmfind.net without any problems, but the new filesystem of glibc for mga3 since version 2.17 consists of new linked directories in directory root named /bin, /sbin, /lib and /lib64, so that all of their files have to be copied into equal named directories of /usr: /usr/bin, /usr/sbin, /usr/lib and /usr/lib64. This can cause programs like terminal "konsole" not working anymore, so that the cursor remains in the upper left corner of the started terminal, to think about other terminals like the recommended xterm and the very secure rated but no unicode supporting aterm and the next step to do like installing package (rpm) shadow-utils. Konsole is still functioning only, after devpts is mounted in the device-configuration-file /etc/fstab. This can be done by the following entry:
none /dev/pts devpts mode=620,gid=5
with gid for tty and in the user-administration of MCC set user to a member of group tty,wheel,lp. Now it is possible to install many packages from more actual distributions like not only mdv2011 and mdv2012, but also Mageia Cauldron 1 up to 4 and especially Fedora Project resp. CentOS 6.8 el6 (release: 2010, modificiaton release date (rpm) CentOS- resp. SL-release: 03.08.2015) and el7 (in the last two cases with update-guarantees until year 2026).Now software-packages are provided by rpmfind.net and pkgs.org for CentOS (resp. el6, el7, Scientificlinux (sl6, el6), ALT Linux, Repoforge (el6.rf), CERT Forensics Tools, PUIAS Computational, KBS Extras Testing, P.N., Nux Dextop (el6.nux), Rpmforge (el6.rf), Epel (el6), Atomix, Russian Fedora (el6.ru), NauLinux School (el6.nau), Nau Linux Extras, LinuxTECH und Ghettoforge (el6.gf)), Mandriva mdv2010, mdv2011, mdv2012, Mageia5 down to Mageia 1, Rosa2014.1, Rosa2012.1, newest Fedora, OpenSuSE and Tarballs and programs for any other OS to emulate from everywhere. With el6 and el6 you can follow the Gentoo-GLSA (https://security.gentoo.org/glsa/ ) update security list. We list each package in our section for updates. This all can also be made for other distributions, annoying, if not. Folllowing our steps, this OpenSource-System full of device-driver can be made incomparible secure, while the iptables-firewall Linfw3 bewares the central meaning. For more details, please follow the details from our excurs as follows, especially in the section for updates. For this please notice, that one should not be forgotten: to make 1:1-backups during the installation process on at least one extern storage media, especially by command dd.
report from 21.10.2004, last update: 06.23.2017. If you can not see a menu on the left side, please click here.
Time for the system boot < 1 second
It was long ago, year 2010, my computer satisfied my needs, even in future. Soon you will agree. You can not make more secure what is secure, same by versatile and who really follows this report by an everlasting, 100% secure computer-system including a ultraslim 18W-WLED-Monitor (TÜV certified) for about 200€ power-consumption 20 up to 40W only, all for about 200 &euro. Many other models might interest too. On our linksites section for "News&Links" (
we even found out Rasperry Pi 3 and especally C.H.I.P., a 3-W-computer for 9€, a model with much memory and as powerful as the smartphone. Further on we are going to present an independent from defragmentation and (included) virus-scanner and so on most secure Mandriva-Linux-computer-sytem from kiosks for only some Euro in year 2010, that is able to manage quit all one can imagine, because of its covering software seized in about more than 65 GB (15 DVD) quit for free. Not only the suspend-mode is working on our hardware, where the complete monitor gets "suspended", whenever you choose the resting mode resp. state (similar to the poweroff-state by hardware), Gooken of the computer tower blinks and Mandriva (2010) turns off all devices except RAM, in order to
"boot" the complete system in less than one second after pressing the powerbutton of your computer tower!
If this does not function, update acpid to at least 2.0.4 or el6.
For these two suspend modes including hibernate of all in all four modes make yourself sure, that ACPI_2.0 is activated in the BIOS, that the SWAP-partition is sized by around 2 GB and that all USB-devices like usb-memory-stick are plugged out (umounted, umount and unplugged). Now the green LED of the computer-tower is blinking for mainboards like ITX-220 (details see data-sheed). Envoke the system again by pressing the power-buttom of the computer tower. Now a password request out of the OpenGL-screensaver (also used for the case of screen-locking) is made, but only if activated within power-management of systemsettings.
Here once again all
energy saving modes (suspend modes) under "Universal Linux 2010" (backported system) in detail:
- blanked screen, readiness (passive) - dark blanked screen. Some power is already saved by this.
- locked screen - OpenGL-screensaver with user-password request - protection during all the (almost short kept) time, a user abandons the computer. Power is still consumpted, until power saving modes might get into effect.
- abandoned / suspended - The monitor is powered off (almost automatically after a some time set), but awakes again with the user activity like mouse-move, mouseclick or any keystroke. Saved power: 18 Watt monitor-power- consumption
-
hibernation - the actual state gets saved into the SWAP-file, the computer seems to be "powered off completely" , while the BIOS blinks the green LED at the computer tower, but an awake resp. the backup of the state right before is possible by pressing the power-on/off-buttom of the computer-tower. After the awake, the user-password is requested to go on working with the computer in the state right before, if determined by the power-management of systemsettings; saved power: quit all 37 Watt.
- deep sleep - another kind of hibernation or similar to it, but the data is written onto the hard-drive resp. SSD. All internet connections (network manager) got closed after the awake in both last hibernation modes, so they have to build up again.
The following terminal-command
sudo
rtcwake -m off -s 60
is well to test, if the hardware does support the "fast boot" (x86-hardware almost does, ARM-Rechner does it not always). Der Schalter "-m" bestimmt den ACPI-Modus. Mögliche Werte sind "standby", "mem", "disk" oder "off" (komplettes Ausschalten). Als zweiter Parameter ist hier "-s" ("seconds") mit einer nachfolgenden Zeitangabe in Sekunden angegeben. Der obige Testbefehl wird also das System herunterfahren und nach einer Minute neu starten (60 Sekunden). Obwohl mit Schalter "-t" ("time) auch exakte Zeitangaben möglich ist, empfehlen wir, den geplanten Neustart immer mit Parameter "-s" anzugeben. Es ist wenig Mühe, etwa zehn Stunden in Sekunden umzurechnen (10*3600=36 000).
Um Shutdown und Start zu automatisieren, kommt der Zeitplaner Cron ins Spiel: Nach dem Aufruf der Crontab-Editors mit
sudo crontab -e
schaltet folgender Eintrag
0 22 * * * /usr/sbin/rtcwake -m off -s 36000
den Rechner täglich um 22:00 Uhr ab und startet ihn nach 36 000 Sekunden (zehn Stunden) wieder – exakt um 8:00 Uhr.
https://www.pcwelt.de/ratgeber/Linux-Systemstart-beschleunigen-so-geht-s-8259105.html
And... much happened:
incredible 38 Gigabyte Traffic with our websites last month April without making ads: Computer age without aging, no platform without fundamental IT security, so be welcome on the excurs for IT-security from Gooken on
Gooken.de as a significant contribute to the successful interplay of informatics and society!
Now you can resign from things, that the world does not need! So everything is already authorized on DVD mdk2004 - except some special software like Nasa-moon-watch perhaps. After waiting quit the same long time, hardware fulfills important criteria too.
Starting Situation
Whoever posseses a "(mirolike) suneater" (a computer), one theme can interest: security. "Earlier so-called cybercriminals immobilized foreign calculators by computer-viruses, today the data thieves strip of whole bank accounts (by credit-card-betrayal, cracking of chips, debit entries, emails like scams, skumming, hacking and phishing");, wrote the press even after the millennium change. Eyes Since George Orwell we discuss the phenomenon of the Big Brother as someone trying to find out our habits, in order to achieve the aims for his few interests groups. Can´t enumerate all this: Spied offices and toilettes, cams in banks, in railway-stations and airports, right in front of petrol stations and bank automats: The eyes and ears of the big brother seem to be everywhere. Worlds get handicraft and abused (by censoring not fitting facts, opinions and views) .Trains were getting late, delrailed, while planes, cars and ships crashed or sank. Power supply systems had their blackouts, user konterminated by elements from platines and therefore got irrediated by the normal use of hardware, see postings form newsgroups cited and linked on our linkside. Significant preparations against thunder-storms were not made. Prices for power supply drifted. Votings were not encountered right. Opinions got suppressed and manipulated by positionings within search engines and legitimating rules, in some cases their listings took more into effect than prepunishment registers of criminal courts, unmanned airoplanes threatened with shooting us, corruption escalated.
Once, in year 2003, SuSE Linux 7.3 appears including four printed out manuals: one reference, one for the programs, one for networks, but still the market share for Linux except for server reached less than 10 percent. Linux has got the right intellectual touch, many people do not like. The handbooks interest a lot, but did not explain, how to create and manage a really secure computer system. Upon the base of a software surface covering distirbution like mdv-Linux from year 2010 we dare to say it managed us to do so by this excurs resp. report. This mdv also makes it possibles to emulate other popular operating systems on the platform of powersaving but ergonomic fast working hardware. Even diversified games for this distribution understand to convice us very much, many of them are running upon OpenGL and SDL. Nice to notice, and what is interesting most: They and all Software of this distribution do really, really run! See how risky other operating systems had been constituted, for not many people did believe us before it all happened with them:
Focus:de, February 2015:
"Also unreal e-mails from betrayer and cyber-criminals are well known, it is a matter of a few seconds we click on such emails to make it happen. As soon as such email do open, we forbode this email not to be sent only to us. Dangerous viruses can take into effect (prevention: UNIX-Linux filesystems, spam-filter with a first virus-scanner like spamassassin and clamav prevent the propagation of viruses). The second next mistake is to open the atteachments and links too. Cyper-Criminals can rob millons of email-addresses by data-robbery. Inourdays plenty of time is spent online to be reachable so that we can get abused. The problem to protect the increasing amount of data becomes day by day more difficult Fingerprints are left in emails, by online-shopping (registrations, tracking-scripts), whats-app-news and more."
Viruses, trojans, worms, bots: 40 percent of the computers are "zombies", Focus, 02.03.2014
The amout is alarming: 40 percent of all PC in Germany are infectedt and can be remoted by cybercriminals. Once set free, malware opens the backdoorr for more abuse. How to protect: The amount of infected computer increased last year up to 40 percent, confirmed the Anti-Botnet-Support-Center of the internet community Eco. More than 220.000 computer with old browser-versions have been scanned. This forwards to trojans and viruses. In many cases, the first varmint opens the door for more infecitons, describes the community. "Zombie-computers" could be remoted. Infected so colled "zombie-computers" could be remoted by cybercriminals. "Their systems are engaged as part of networks, that are abused by criminals for abuse like spam-transfer or denial-of-service-attacks, leading to die immense harms", described Markus Schaffrin, the ECO security expert. The result is alarming, said Eco. For more security, a well configured firewall and anti-virus-scanner remained essential. Focus explains, how you can find the best virus-scanner (we, Gooken, think it´s clamav. This open sourced scanner is always checked well, as he can be installed on all popular operating systems).
Linux does not work? How you can solve every driver-problem, PC-WELT.de, 04.07.2017
Linux runs on quit all PC and notebooks, but not each hardware periphery is recognized automatically. For new devices some problems are possible.
[...] Linux-distributions provide a wide hardware support and run on quit all PC. With SATA, ethernet, graphic-card and monitor as much as mouse and keyboard there are no problems at all awaiting. Those basic functions should be warranted each case.
Elder printer, scanner or tv-cards without driver for Windows 7, 8 or 10 can often be reused for Linux, but for very new or seldom devices sometimes there is no support pregiven. Before the installation tests for hardware-compatibility should be made.
Report in german language onle: https://www.pcwelt.de/ratgeber/So-bringen-Sie-Linux-trotz-Probleme-zum-Laufen-9789269.html
New nvidia-driver cause system-breakdowns, PCWelt.de, 10.03.2016
Nvidia´s new graphic card driver 364.47 cause serious hard problems for some PC-user. Concered user can do the following: http://www.pcwelt.de/news/Neue-Nvidia-Treiber-364.47-sorgen-fuer-Abstuerze-9943889.html .
Even a supergau in Fukoshima took place! Even have a look onto the section for
"News&Links" from our left menu! If we follow such reports, we remind of emergancies, catastrophes and incalculatable payments. Since computer-technique seems to be part in almost everything (Na/ST), it and the companies behind seem to be quit
liable for all, in person also see our linkside....! One question seems to be central:
Do we reign computers, or do computer reign us?
Computing begins, where it ends
Green LED vs. red LED: "Yes, I think I´am OK vs. yes, I think I am (the) stupid idiot (while our own system signs: "..." with one very short blinking point more or less periodically after the other one in around two up to ten seconds, asking the user back for "any complaints?", reminding him for "more activity, please..." and saying "I tell you...(heartbeats)"), what shall not confound with the three LED at the top of the num-block the keyboard saying to the user "Hi!" and "bye" resp. "out of order" (kernel-panic). All or something, that of course is not essential anymore in the case of touch-screens, and that´s the naked truth. The own computer should be no disadvantage and not stand for riscs (red LED) without loosing his advantages and opportunites (green LED). Computer systems should not think about themselves, that they are stupid for all, by making themselves work with capacities reducing and control wresting self-checks for virus-scans, bot-processes, bugs (program-errors), processes of trojans and self-maintenances as the cause of their technical unjustifiance. This is almost self-signaled by the blinking orange or red LED of the computer-tower. A solution far from MS Windows is found since year 2004 resp. 2010: Gooken does present even more a (classical, quit everlasting) computer-system on lowest costs with quit all software almost in top-graphic running as secure and stable without much blinking of the red LED as computer can! In spite of red marked text and our linksite you become
a witness of the eight wonder of the world named "the almost 100% security bewaring computer running on lowest cost, where there is quit no software of rubriques of all kind missing", even not of games and TOP-games! Please do not forget to read our linksites from the left menu section "News&Links" These linksites contribute to the right understanding of the work with the computer and, although we are going to provide the promised security by this excurs, many remaining threatenings from the outside are still awaiting! For security studies for MS Windows, please have a look upon News&Links too.
Very past installation phase, a system almost free from security-leaks, maintenance and administration will be provided. The only thing one has to do from time to time is, to install some actual updates.
MS Windows "Replacement": Windows-Emulation by virtualbox, VM, qemu, xen, mingw and wine (mdv2010), same for MAC-OSX by BasiliskII and Amiga by uae and so on
Through wine, winecfg and at last playonlinux of mdv2010 emulation of software running on MS Windows (98, XP, 7, ... ) including MSOffice and Internet Explorer 6 up to actually 8 is not the problem anymore (although in our opinion with the well-equipped mdv2010 we need much or anything of it...). More than 100 Top-Games: see our data sheed.
Frontend playonlinux presents software, that can be installed groupwise like accessories, development, education, games, graphics, internet, entertainment, office and others and offers the following software in detail beneath many other one to install:
MS Office, MS Word Viewer, Intenet Explorer, 6 up to (actually) 8, Google Picasa, WowApp, 7-Zip, Ultimateencoder, Amazon Kindle, Azuon, Cadstd Lite, PDU Spy, Photofiltre Studio X, Dreamweaver, Codeblocks, Flashplayer, Flash 8, Flash MX, Notepad++, Graph, Teach2000, Simultit, Rocket Reader, Huckel 95, Adobe Photoshop, Fireworks8, Microsoft Paint and more, more than hundred games see our data sheed!
playonlinux installs different Wine32 and Wine64 depending on the programms chosen.
It also offers installation of any setup.exe regardless from the download out of the internet, that means from harddrive or CD/DVD too.
Installation
Wine: How to use the Windows-Replacement in Linux, PCWelt.de, 08.11.2015
Wine is a a clone of the Windows-API with many windows-programs to run under Linux too. Whenever functioning, it is in opposite to virtualization (virtualbox, Xen, qemu, ... ) the more direct way: http://www.pcwelt.de/ratgeber/Wine-So-nutzen-Sie-Wine-als-Windows-Ersatz-9790018.html, zahlreiche Top-Games aus playonlinux siehe unter Datenblatt.
PCWelt also presents security tipps for the user, PCWelt.de, 03.08.2015 and 22.08.2015
Create your VPN (private internet tunnel)
Most public WLAN-net are - as already told by name - public. Hacker, equipped even with only a few programs, can "catch" the traffiic from the next area. Although it is useful to provide more security by calling websites per https in the address-line of a browser, it is not the best solution. A private network (VPN) should be used, in order to provide an encrypted data-tunnel between your device and the internet. There do exist versions of such programs for free like "Hide My Ass", "Hotspot Shield" and "Tunnel Bear"- a payed VPN belongs to the better alternatives (or use the real secure freeswan, strongswan, openvpn or openswan). The versions to pay like Hide My Ass cost 40 € the year for example and protectis not only your PCs but also your mobile devices.
libreswan (rpm):
"Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up Libreswan. To build KLIPS, see the kmod-libreswan.spec file. Libreswan also supports IKEv2 (RFC4309) and Secure Labeling. Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04"
You can use a virtual private network-client for free like OpenVPN (or Freeswan, Anm., die Red.), in order to connect to a VPN-service, where you have an account, so that you can visit the internet through an encrypted access. This is a good reason for VPN, but not the only one.
Maybe you do not want, that your internet provider surveys all your online-activities at home. Normally, if you go online, the provider can survey all of your activities. By VPN your internet service provider can only see the connection to the VPN. Besides from this VPN help you to bypass regional restrictions for websides like Amazon, Hulu, Netflix and BBC iPlayer. One example for a VPN-provider is the company IPredator from Schweden offering VPN-services for eight Dollar the month, keeping its connection to the famous torrent-tracking-site "The Pirate Bay". IPredator promises not store any traffic data of their user. You can also use PGP-encryption, if you contact IPredator-support per mail. One more popular VPN-provider is Private Internet Access, that promises not to protocol traffice data too. PIA costs 7 Dollar per month or 40 Dollar the whole year. PIA also helps to bypass reginal blocks in the USA, Canada, Great Britain and several countdries in continental europe.
Although VPN protects your privacy, provider of websites like Facebook and Google can protocol your internet-activites. The use of your anonymous-private-mode of your browser is not caring for complete anonymity, but it keeps websites from reading out your cookies and the histroy of your browser, in order to get more to know about you. We are going to see, what we can do, comment by Gooken.
Howto configure and establish VPN-connections can be read here (in german language): http://pdf.zeit.de/digital/datenschutz/2013-01/serie-mein-digitaler-schutzschild-vpn-ipredator.pdf .
The risk remains by the VPN-provider, as he knows the IP-address - so you have to convice him. This is the central disadvantage in opposite to Tor.
I2P is a decentral network connecting users, in order to make an point-to-point- (end to end-) encryption possible. It is still under development and provides an experimental additon to other methods for encryption or anonymization.
Tor is a connection-based low-latency anonymous communication system. This package provides the "tor" program, which serves as both a client and a relay node. Scripts will automatically create a "toruser" user and group, and set tor up to run as a daemon when the system is rebooted. Applications connect to the local Tor proxy using the SOCKS protocol. The local proxy chooses a path through a set of relays, in which each relay knows its predecessor and successor, but no others. Traffic flowing down the circuit is unwrapped by a symmetric key at each relay, which reveals the downstream relay. Warnings: Tor does no protocol cleaning. That means there is a danger that application protocols and associated programs can be induced to reveal information about the initiator. Tor depends on Privoxy and similar protocol cleaners to solve this problem. This is alpha code, and is even more likely than released code to have anonymity-spoiling bugs. The present network is very small -- this further reduces the strength of the anonymity provided. Tor is not presently suitable for high-stakes anonymity., rpmfind.net about tor, 18.01.2016
Another example, why to resign from TOR is named by PCWelt.de:
"In November last year the anonymizing-network Tor started his first spend campaign. With overwhelming success. Exact 205.874 US-Dollar (around 190.262 Euro) from 5265 different givers are taken by the project Tor during six weeks. With this amount of money, the Tor project is going to reduce the dependencies from the US-government, financing Tor of about 80 up to 90 percent. As the US security agencies try to infiltrate the tor-network, it makes sense Tor making more independent from USA. Alleged the US-policei FBI spent one million dollar to an explorer of the Carnegie Mellon University, in order to help the FBI, to intrude into the anonymizing-network. The NSA is going to crack TOR too.", http://www.pcwelt.de/news/Erfolgreiche-Spendenkampagne-fuer-Anonymisierungs-Tool-Tor-9916676.html
Tor - no absolute security, heise.de, 30.08.2016
The anonymizing network like Tor left security leaks and access points: if many Tor-nodes gets observed, conclusions to the location as much as identity of a user can be drawn - and not only by institutes by law than NSA. There are some tor-based virusses and malware on their way - probably seldom, but really existant, http://www.heise.de/download/product/tor-browser-40042 .
Protect the router
The most important connection to the internet for the everyday life is your router at home for the use of online banking and so on, where sensible data is transferred. So do not use ever the same passwords, especially not that of the router. For most secure home connection always use WPA2-encryption and random generated login-passwords out of at least 30 characters, that should be kept within a password-manager. One more report about router is following below at the end of step 1 of this excurs.
Resign from Java (whenever possible)
Oracle´s Java does not belong to the required software for PC-user for our relief. Java is full of lacks in security. Security experts postulate from Oracle the complete overworking of Java. January 2013 they advised all PC-user to deactivate Java as possible, that means except the cases where Java is needed. One should wholehearted attempt to delete Java from system completely and at once! This can be done for MS Windows by the system control. Nevertheless, if a webside requires Java, the recommend of installing actual Java software is not missing.
Be careful with the password-recovery of mail accounts
Make hacker the life as hard as possible. Use different mail-accounts with different passwords kept in a password manager with hard to hack address names like "myrec0v3ry_ZMf43yQKGA@outlook.com". Then hacker can not hack in an easy way and especially not all passwords at once.
Do not use only antivirus-software but also anti-malware-scanner
Virus scanner alone do not cover and remove all malware. It is a good idea to use malware-scanner too.
Screen the webcam
Times were known, malware sended word-documents all over to email-contacts. This can get even more and more worse, if computers are suited with webcams and microphones. Put adhensive tapes, maybe with paper between, over the lense of the webcam. Whenever the webcam is needed by the user, he just has to deduct it.
Databasis (SQL)
Password-protection for MySQL after the login into MySQL by starting the daemon mysqld and entering "mysql -h -localhost -u username -p" in order to type into beloginging terminal:
| grant usage on *.* to ´username´ identified by ´password-to-set´; |
This method is advised as secure. Alternatively, but for some protocollings not such secure:
| SET PASSWORD FOR ´username´ = PASSWORD(´password-to-set´); |
The (own) computer should escape from the dark empire, here named by Miro´s "Suneater", but how?
Technical failures cause from human ones. "The way is the target", means their leader Konfuzius. Gooken itself is a meeting place for the scientific based IT-Security since computer might run secure. Its excursion is introducing the security-concept without the accumulation of any costs for consultation, training, conversion and licenses. It does so by realizing a secure and standard company management database and an everlasting as possible, standard IT-Security-concept for your computer-system through all of companies (fields, mandators, master, departments, standard-processes, editor, printouts, diagrams, security) intergrating
Mycompanies company management in PHP-MySQL standard with intergratable PHP-FCKEditor for text-fields, also all ready for WEB-2.0-and 3.0-technology, the determination of security levels,
computer-manual, (security-)commands, checklist and prototypes in order to resign from scans from hard-disks as much as from the amount of essential updates and upgrades to none (!) at all as much as possible, a deep look into the work resp. code of search-engines like
Gooken,
"News&Links" especially for the friends of MS Windows to carry on
and more. In comparison with other projects, those of Gooken do not only consist of an everlasting character, but also find an end to the very beginning!
Theory
All this direct help online is offered to beware stable positions right before law and opposite fellow men. It is is realized by adjustments and downloads consisting of SQL through company.
management, pdf like the computer-manual with checklist and surface covering security-software for prevention, diagnosis and repair to solve the survival-request of computer-age with its central rating for computers completely concretisizing
the book "Security in Information Technology" second edition by Prof. Dr. Kersten, Oldenbourg-Hochschulverlag from 1995. Therefore Gooken tries to contribute to the calm, troublefree enterprise!
Quit all needs and security problems of the computer can be solved! Gooken offers
Introduction-"basics" to reach the highes IT-security-level" as possible, and a pdf containing also next step 2 to reach an enhanced IT-security-level, pdf system-(security-)commands and pdf checklist,
Anonymizing Proxyserver
surfing with the anonymizing base64-, rotate-13 URL- and SSL-encrypting
Proxy and den base64, rotate13, nonssl
Proxy for free (with restricted capacity for dowloads) programmed by Abdullah Arif. In both cases, for payment as much as for free, IP are not only exchanged, but also all kind of scripts including tracking-scripts beneath cookies get blocked, by choosing the option "remove scripts". This is important to avoid methods like Canvas Fingerprinting, details see our "online check". If there is no access for our free proxy, try https://www.vtunnel.com.
Webdesign- and programming in HTML, JavaScript, PHP, PHP-MySQL and MySQL
Search engines
Many search-engines tell us, that we can search secure, because they resign from storing the IP of their user. But since Edward Snowden june 2013 the fact is,
that many search engines host on server within the USA, even those recommended by so called privacy protectors. Such search-engines have to refer to the Patriot Act and US-law and therefore have to serve the full access of US-authorities. So they can not offer protected privacy (even not, if they try. source: metager, year 2014).
German government and the EU-commission, Tagesschau, 21.05.2014: Mundt supports the demands of Bundeswirtschaftsminister Sigmar Gabriel postulating a hard reglementation and the annihilation of the Google concern. Paris also postulates for harder rules. The minister and his french administration colleague Arnaud Montebourg postulted in a letter to sharpen the suggested conditions for Google. Indeed the ministre from Berlin and Paris do not find the sympathy of the EU-competition commissioner Joaquin Almunia signed by scepsis against the annihilation of Google. But all with Google is by far not obivious. It can not be exclude the commission following all the compaints against Google in further processes by law, explained Almunia at the same time.
Instead the platform independent
Gooken is a self-learning search-engine with SSL-support. Gooken was developed for answering still unanswered questions in conjunction with IT-security past our excurs with downloads as much as for any purpose.
You are searching completely anonymously, no click-registration by meta queried searchengines! Actually, no data are stored, neither your IP nor the user-agent-specification of your browser! Gooken resigns from tracking-scripts, participating in a web-advertisement net as much as from server-farms! You can open all websites anonymously.
Open Website Reputation: Gooken 100/100
downloads making Linux, what it proclaims to be: free from any intrusions, without any hacker and any trojan and therefore secure independent from most distribution and version: Linfw3 - the unbeatable fortress with protection against insecure browser-plugins - the comfortable end of all hacker and trojan (for single user, client, server) - besides Klean, Rename-Manager, the (LAN-supporting, platform-independent) PHP-MySQL-library Bibliomaster, platform-independent PHP-MySQL company-management-database Mycompanies and
a filterlist for the adblocker of the konqueror and other adblocker from the Easylist and during the time collected entries
Trials against small money for the attempt to improve your online-reputation within the internet on price at agreement
Fedora and CentOS (resp. ALT Linux) Updates, Linux for Security, and Top Seven by Susan Linton - Jan. 17, 2014Comments (0)
Related Blog Posts
Microsoft Linux, Fedora 23 Beta a GO
Magical Mageia Review, Mint 17.3 Named Rosa
LinuxToday was another interesting day in the newfeeds, so much so I can܌t pick just one. There were several headlines focusing on Fedora or CentOS (resp. ALT Linux) today. Linux.com has posted a top seven distro list for 2014 and Jack Wallen says CESG recommends Linux for security. Tha´´s not all either. First up today, Jack Wallen over at TechRepublic.com published an article discussing the results of the United Kingdom´s Communications-Electronics Security Group (CESG) operating system security tests. The tests consisted of 12 categories of security focus such as Disk Encryption, Authentication, and Platform Integrity and Sandboxing. As if there was any question, Linux proved the most secure of all the desktop and mobile systems tested. So, be sure to check out Wallen´s article for more detail and relevant links.
Operating Systems and covering well designed Software ready to start: after all those computer systems really one to work and game with (stable)!
mdv on USB-memory-stick: Opensource from (bootable) DVD, (bootable) USB (-memory-stick and memory-cards), from DVD onto SSD and HDD,
so take the - as we think - one time chance to avoid in future not only computer-techique but also all operating systems. This can be performed by the shell-script mandriva-seed, unetbootin and other programs.:
mdv on DVD: from mdv-final for quit all devices - comuter-final, computing has right begun, where it ended: Opensource-2010-FINAL, secure, easy to handle, but most comfortable Linux fullfillingFSH 2.3 (Filesystem Hierarchy Standard) and ISO-standard-LSB 4.0, with 65 GB (15 DVD) + Fedore rpm + unlimited software from see our data-sheed (left menu) also recommended by prism.break.org, stable and secure from DVD onto your SSD (and/or harddrive) with lifetime installation-support, fc-SuSE-mdv: We also offer complex as much as the mdv2010 already updated, stable and secure Linux-distribution powerpack+final version mdv2010.0 from year 2010 (x86_64, 64-bit, optionally MAC based ("NSA-")Tomoyo-Linux by NTT DATA Corporation, Japan) with driver-comfortable kernel 2.6.31 (2.6-final resp. Knoppix 2010 like mdv-2010-Kernel 2.6.33-7-2, 2.6.39 (with allow-discards-support for FSE and FDE and patches up to actual date from see in our section for updates) or kernel-4.20.13 (pclos/PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos), kernel-rsbac (hardened), RFC-rules bewaring methods for encryption, Firefox 3.6.17 you can update to an actual version like Firefox ESR, patched bash, LUKS/dm-crypt (cryptsetup) with most driver for desktop-computer, all postscript-based printer, PPD from manufacturer or diver-CD, alternatively see compatibilty-list and foomatic-, PPD- and cups-filter-driver and cupsddk (cups driver development kit) from these DVD or
Linuxfoundation, openprinting.org and powerpack+ from year 2007 (i586, 32-bit), many graphic-card-drivers including IPG-driver intel, IGP-openchrome and IGP-unichrome3D, ati-, nvidia- and the universal VESA-standard-graphiccard-driver and other ones; each version out of one
installation-DVD (1) for the binary-packages (rpm),
one DVD for more mdv-2010-software-packages, most already known from mdk10.1 (2004) (2) including Debian Linux paket-manager (apt, dpkg, alien), debbuild (el6), debmirror (el6) more drivers and software listed in the data sheed below and one DVD for the belonging (updated)
sourcecode-packages (3):
3 DVD Linux total, stable and secure mdv2010.0-final (x86_64) or mdv2007-powerpack+(i586), 3 × 4,4 GB comfortable, most stable and secure Linux total, free from shipping costs, for 20 € 24h-livetime-support from fr2.rpmfind.net and sources or installation-DVD mdv2010.0 from http://linuxisos.de for 8 € (2013), or
mdv from SSD: 65 GB mdv-software (15 DVD for mdv2010 out of mdv2010.0, updates, mdv2010.1, mdv2010.2 including all GLSA-updates except KDE and 2014 patched bash and openSSL 1.0.2, Firefox ESR ) extract see data sheed plus source-rpm from your sent-in at least 120GB sized SSD, FSE (FDE) of all partitions: root (around 65 GB) , (by keyfile from the root-partition automounted) home (around 25 GB), SWAP (around 3GB) and one more partition (around 30GB), 24h-livetime-support from fr2.rpmfind.net or
After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
mdv out of the internet: mdv2010-packages for free from: http://fr2.rpmfind.net/linux/RPM/mandriva/2010.0/x86_64/index.html, http://fr2.rpmfind.net/linux/RPM/mandriva/2010.1/x86_64/index.html and, http://fr2.rpmfind.net/linux/RPM/mandriva/2010.2/x86_64/index.html 24h-livetime-support from fr2.rpmfind.net and sources, plus quit all Linux-tarballs,
kernel-4.20.13 (PC-LinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6, version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos) resp. kernel-desktop-2.6.39 (mdv-2011-standard-kernel), kernel-server-2.6.39 (standard-kernel with patches up to now, year 2016, from see our section for updates), kernel-linus-2.6.31 (original kernel from Linus Tovalds), kernel-rsbac (hardened kernel), kernel-uml (protected usermode-kernel), xen-Kernel (XEN-virtual machines), lirc-kernel (infrared-driver), kernel-tmb (laptop), kqemu-kernel (kquemu-driver for the standard-kernel), vpnclient-kernel (vpnc-driver), fglrx-kernel (nvidia-driver), em8300-kernel, broadcom-wl-kernel, hfsmodem-kernel, madwifi-kernel (WLAN-driver), libafs-kernel, lzma-kernel, kernel-rt (SMP-onboard-Realttek/Atheros-LAN-BIOS-Chip with an activatable LAN-ROM), fusion-kernel (fusion-driver), kernel-netbook, kernel-openvz (SMP: multiprocessor-kernel), libafs-kernel, kernel-kerrighed (kerrighed-Support), obencbm-kernel, psb-kernel, actuator-kernel (actuator-driver), lzma-kernel (lzma-driver), m560x-kernel, broadcom-wl-kernel, nvidia-current-kernel, nvidia96xx-kernel, nvidia173-kernel, netfilter-rtsp-kernel, fortune-kernel, vhba-kernel (vhba-driver), em8300-kernel, r5u870-kernel, r5u870-kernel-laptop, squashfs-lzma-kernel, vboxadditions-kernel, virtualbox-kernel, actual Kernel-3.X.X (from fr2.rpmfind.net or kernel.org), ...
Notice, that in order to keep transparency and other aspects, the system boot does not in main follow the kernel with its many firmware, but the runlevel-init-scripts out of /etc/rc.runlevel0-6 out of tarball resp. rpm named initscripts and util-linux, almost steered by the script named init.
uml-kernel: User-Mode-Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions and poke around in the internals of Linux, all without risking your main Linux setup. User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software; you need an uml-kernel and an adequate root-fs-filesystem of about 1GB from http://uml.devloop.org.uk/; start: #./smb-kernel-name ubda=name-of-root_fs rw mem=256m; stop: #halt.
The Filesystem Hierarchy Standard (
FHS) defines the directory structure and directory contents in Unix and Unix-like operating systems, maintained by the Linux Foundation. The current version is 2.3, announced on 29 January 2004.[1]
Only some Linux-distributions fullfill the Filesystem Hierarchy Standard and
LSB standard. The Linux Standard Base (LSB) itself is a joint project by several Linux distributions under the organizational structure of the Linux Foundation to standardize the software system structure, including the filesystem hierarchy used in the GNU/Linux operating system. The LSB is based on the POSIX specification, the Single UNIX Specification, and several other open standards, but extends them in certain areas. According to the LSB, the goal of the LSB is to develop and promote a set of open standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system even in binary form. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux Operating Systems. The LSB is registered as an official ISO standard. Linux Standard Base aims to make binaries portable.
mdv2010.0, LSB-version by after typing in the command
LSB Version:
lsb-4.0-64...
Distributor ID: MandrivaLinux
Description: Mandriva Linux 2010.2
Release: 2010.2
Codename: Adelie (Napoleon, annotation by the red.)
With mdv2010 software is not only covering, it also can be displayed advantageous and interesting:
Window-administration (die hält, was sie verspricht): always-in-foreground, always-in-background, remember, force of positioning and seizing function and so on, fringes, work surface assignment, window-heaver, menü for behaviors, screen-edges, window-effects, changes of windows, actions, activation, spezific settings, ...
Effects for the desktop: kiba-dock, 3D-window-galery, 3D-windows-stack, fade in and out for the system-login and -logout, cube, preview (of minimized windows), showcase with miniaturized images for opened windows, translucency, transparency, dimming, zoom, auto-reticle for centering, gliding, magnifier, shadow, wonderlamp (during the maximizment of minimized windows), wave, ... on the base of composite: spotlighter (justable desktop-spotlight), ardesia (desktop-sketching), curtain (curtain to move on the desktop from one side to the other)...; like plasmoids without markable loss of performance for active processes of mdv2010.
Key-strokes for KDE-desktop-effects: STRG+F9 or mouse pointer into upper left corner: preview with mini-pictures of opened windows, ALT+TAB: window change, STRG+ALT+Scrollrad: window-transparency, STRG+Arrows: cube-rotation of the workplaces
Plasmoids resp. plasma (applets) for the desktop and the controlbar (please notice, that in differnence to mdv2010-rpm-packages actually not all of them do function, so we have to wait, and that some of them get their information
Desktop right upper corner with halfmoon-plasmoid: toolbox out of add control-line, configuraiton of key shortcuts, adjustment for the active-directory-perspective, enlargement/declinement of fonts and symbols and unlocking of the (plasmoid-)miniprograms
to present out of the internet): Daisy (free program choice within rings or bars), Lancelot (desktop-menu), timezones and weather, birthday-reminder, calculator, widget-dashboard, system-monitoring, multiple rowed fast-loader (more-rowed compressing collector for icons with optional mini-pull-down-(up-)menu), unit-conversion, LCD-weather-station, weather forecast, wordclock with timezones, accu-check, image frame, comic, egg-clock, jumping ball, colorchoosing stick, calculator, moon phases, zoom, social desktop, ToDo-lists, remember the milk, system-monitor, guitar-tuner, image-preview, widget-dashboard, birthday-reminder, flickr, language-translator, sun-system, fishtank, DVB-signal-meter, newsticker, Mountoid, Bundesliga, Facebook, Flickr, bsun (wandernde Sonne), FrustML resp. (Mensch-Ärger-Dich-Nicht), Fancy Tasks (quickstarter similar to cairo-dock), Koala (similar to Tamagocchi), Astrocalendar, Plasmio (SMS), daisy (desktop-icons in a cricle), 15 stones,Tomatoid, egg-clock, spell verification, blackboard, WorkContext (nepomuk) and much more ...
Gadgets, Apps-Installer, ...
Gai, The General Applet Interface Library von http://fr2.rpmfind.net oder http://gai.sourceforge.net : gai-pal, gai-album, gai-bgswitcher, gai-blobs, gai-clock, gai-mailcounter, gai-nebulus, gai-sun, gai-othello, gai-pager, gai-terrain, gai-visual-audio, gi8k, gwlan, vpn, bluecombo, FishTime, shermans-aquarium, TV in a box (tvib), usermon, ...
Cairo-Dock from http://fr2.rpmfind.net or http://www.glx-dock.org/
krunner: KDE Semantic desktop search per singe mouseclick on the base of gingko resp. akonadi and nepomuk and so on (all upon MySQL) by direct text-search like Cortana for MS Windows, ideal per mouseclick from the taskline or out of the KDE-start-menu, in order to search for names, database entries of all kind, textfiles, audios, images, videos, e-mail, news (Usenet), command execution, date and time, desktop-sessions (user exchange), kopete-contacts, contacts from kontact, webbrowser-history, konqueror-sessions, bookmarks (to find and envoke), units-converter, media playing, nepomuk (semantic search), locations (open files and addresses, ginkgo resp. semantic view during the saving of documents and other files), (opened and closed) windows and work areas (and their includes), plasma-desktop (interaction with the plasma-shell), TechBase (search within the KDE-TechBase), Wikipedia (searching in Wikipedia), Wikitravel (searching in Wikitravel), dictionary, recent documents, devices, kate-sessions, kget (links to download-manager kget), konsole-sessions, language translator, special chars (creates special chars) and so on: krunner (el6, ..., mdv) (or press ALT+F2)
rpm-description:
"Ginkgo (KDE (mdv2010.2, mga, rosa) is a graphical front-end for managing data semantically. Ginkgo lets you create and explore links between your personal data such as e-mails, contacts, files, Web pages. It harnesses the Nepomuk framework."
Start ginkgo (KDE (mdv, mga)): Click upon a directory or file ->, context menu -> "Annotate" (context menu of KDE (mdv2010.2) -> Ginkgo: data record with different text fields
For KDE (el6, OpenSuSE-11.2 4.4.4, 4.4.11) ginkgo does not function, but clicking upon "semantic view" during the saving of documents and files is a good alternative, as it opens the same text-input-fields like ginkgo.
Now you might want to click onto the pliers symbol (settings) and modules, in order to deactivate Wikipedia, Wikitravel and the Google language translator.
[SOLVED by Gooken, 21.10.2016: drkonqi: One or more
akonadi_resource do not work or cannot be found]
At first, lookout for akonadi (el6) installed (rpm -qi akonadi).
There are three rpm-packages full of akonadi_resources like ical, birthdays, kcal, knut, kolabproxy, localbookmarks, mbox, microblog, nntp, notes, vcard, vcarddir, nepomuktag, strigi, kabc, kcal and imap: akonadi-kde (mdv2010.2) and kdepim-runtime (el6) with kdepim-runtime-libs (el6).
Now enpack akonadi-kde (mdv2010.2) and copy the not working akonadi-resources, that can be found in rpm´s usr/bin/ to /usr/bin.
The other direction from kdepim-runtime (el6) to akonadi-kde (mdv2010.2) might be the correct one in some cases too.
If you want to start nepomuk-semantic-desktop-search (krunner):
1 eventually start the strigidaemon: /usr/bin/strigidaemon&
2 start desktopsearch-KDE-control-modul ( systemsettings or krunner:enter "nepomuk", in order to select it ) -> 3 select files to index / Dateiindizierung (Verzeichnisse auswählen) -> 4 activate both, nepomuk and strigi / Nepomuk-Semantik-Dienste und Strigi-Datei-Indexer zugleich aktivieren.
3 If the error message ( like "akonadi_ical_resource can not be executed successfully" ) still appears, start akonaditray and remove the belonging resource out of the resource-listing. Many resource can be removed, but maildis, maildir and mailtrans are always needed for kmail.
Desktop-Screenlets, image: GUI-Screenlet-administration with more than 100 screenlets additionaly downloadable ones and screenlet-daemon, screenlet in the fore- and background, scalable size, widget-attribute, more attributes like: growing flower ( to give some water from time to time), slideshow, pager, control (to add more screenlets), radio, meter, stocks, speech, sensors, ringssensors, ruler, convert, example of howto create a screenlet, copystack, clear weather von weather.com, ...
For more details see the data sheed from left menu.
"4.65 from 5 stars are the results of the average voting of a test from year 2014 for Mandriva based upon 204 meanings of customers from Erfahrungen.com investigates regulary such votings from all sources out of the internet, that are carefully read out by hand and stochastic methods."
Mandriva Metisse takes 3D to a New Level, http://cybernetnews.com/mandriva-metisse-linux-takes-3d-to-a-new-level/
This morning I´ve been watching videos of the Mandriva Metisse Linux that, in my opinion, puts some amazing 3D features at your fingertips. All of this XGL and 3D stuff is often shrugged off as merely being eye candy, but there are four video demonstrations that really show the usability that these features can really offer. I always thought that openSUSE Linux was always the furthest advanced version of Linux since they often implement the latest technology. However, Mandriva seems to be taking that crown away, and I have really considered switching to it as my primary version of Linux that I use. I like the look and feel of their operating system, and it is obvious that they are exploring new ways to make it the best it can be.
Download Mandriva Metisse
Thanks for the tip Chris!
Convince yourself: The quit short and many years overworked errata-list of the comfortable mdv2010.0 can be directly obtained from
Mandriva Errata 2010.0. Not all of the mentioned problems there have to be solved. With mdv2007 and mdv2010 the time has come to install many, if not all, packages of this distribution and maybe more tarballs at once on the same SSD resp. harddisc instead of, to go sure, a few ones only as generally recommended by institutes like BIS.
The address of Mandriva is not missing on mandriva´s homepage.
Mandriva S.A. (prev. Mandrake), Paris, St. Etienne, Frankreich, Tel...., email-addresses... ( founder: Gael Duval, 70 persons employed )
"Mandriva Linux the brainchild of Gael Duval, who wanted to focus on ease of use for new users. Duval became the co-founder of Mandrakesoft". Most packages origin in Fedora (but I knew a distribution of Fedora on DVD from the same year 2010 remaining quit scanty in comparison).
Abb.: System tray (plasmoid) out of Krandr (screen resolution), kmix, Klipper, parcellite (additional configuration of klipper), NetworkManager, Stardict, USB-connections and encrypted partitions, kgpg, korganizer (calender and. dating planner with reminder function), printer-applet (printer jobs), nepomuk (semantic search), i - information for system messages by kwrited (actually not started, that means still without: knotes or tomboy, tvbrowser, ...), clock with date and calendar and the fast screenlock- and poweron-off-plasmoid; enfastened load of the tray after the deinstallation of interfering draksnapshot
"Mandriva Linux 2010 - perhaps The Best Linux Release All Year - Mandriva Linux 2010 was recently released and brings lots of nice improvements to an already nice system. Mandriva has a long and distinguished history in the Linux distribution arena. They began over a decade ago using Red Hat as their base and quickly became the preferred choice of the new Linux user. This release hopes to offer some amenities to appeal to users of newer trends in technology such as semantic desktop and netbook support. The Mandriva Linux installer sets the standard in user-friendly Linux installers. For those familiar with Mandriva this release brings some great improvements. The best two so far have been the increased stability and performance. Mandriva may have had a reputation for being a bit crashy in the past, but it appears those days are gone. In the several days since a fresh install only one application crash has occurred here, and this application is known to be unstable across distributions. This new-found stability comes with even better speed as well. Not only does Mandriva boot quicker (speedboot: kernel-parameter that can be set in /boot/grub/menu.lst or /etc/lilo.conf, speedboot=yes), but desktop performance has improved noticeably. Applications open and function faster, including the two heavyweights OpenOffice.org and Firefox. There is virtually no graphic artifacting and redraws are immediate. In addition, the 2010 graphics are just beautiful (source: http://www.makeuseof.com/tag/mandriva-linux-2010-perhaps-the-best-linux-release-all-year/).
mdv2010 enpossibles to choose any design and style out of desktop, appearance and desktop-design-details from systemsettings and gnome-control-center - self mades as much as pregiven ones. A screen covering bootsplash can appear right up at the beginning when powered on using grub or escpecially grub2. Color-schemes can be imported like the one from the CD of the monitor-manufacturer and there are a lot of emojis. Addtionally plasmoids and many ressources-saving 3D-deskop-effects can enrich the desktop. With compiz, the deskop-workplaces are ordered cube or metisse, while the desktop-background can be any wallpaper, slide-show, global map, weather map, mandelbrot and so on as much an image on the fly. Especially OpenGL, fast direct-rendering, SDL and pulseaudio guarant the video- and audio-processing. Mandriva´s center of gravity lies together with the up to year 2060 actualizing Scientifclinux (sl6, el6) alias CentOS 6.7 (el6) and 6.7 (el7) in the extended hardware-support of our days as much as in future.
Nevertheless keep an actual mirrored 1:1-backup on another media during the installation! After all the installation, mdv2010 is running fine.
Mandriva for free:
Mandriva Lx 2014 1,6GB free download. Notice, that we would like to keep mdv2010. Therefore we did not test this Mandriva-distribution!
Bootstrap of mdv2010 (creates) a basic
Debian system: debootstrap is used to create a Debian base system from scratch without requiring the availability of alien, dpkg with debbuild and debmirror and/or apt. Notice, that in comparison with package manager of mdv2010, those off Debian 2010 like aptitude and synapitic do consist of errors, error-messages, breakdowns and bad overviews. It does this by downloading .deb files from a mirror site, and carefully unpacking them into a directory which can eventually be chrooted into (although we recommended to forbid this command). Debian is also supported by dpkg, apt, dselect, dash, ..., but with mdv2010 there seems to be not much Debian software missed, see http://fr2.rpmfind.net/linux/RPM/mandriva/2010.0/x86_64/. The coloured out listings of Mageia Cauldron - and Mandriva-rpm to select is most satisfying on http://fr2.rpmfind.net.
Mandriva-One (mdv2010.2-final, i586) direct bootable from your USB-memory-stick, USB 2.0 and higher. Harddrive and SSD do remain not only unused, but can also be used for installation.
Linux on your USB-memory-stick:
with a free partition of at least 2 GB or unformatted for 64- and 32-Bit-CPU, mdv-fundament, optional installation onto your harddrive resp. SSD, kernel 2.6.33, grub (with a optional md5-encrypted password-protection for each bootable dracut resp. kernel and memory check by memtest) and lilo (boot-manager, especially for kernel < 2.6.39), Firefox 3.6.13 including the security-addons we recommend and privoxy, KDE 4.4.5, Dolphin 4.4.5, Konqueror 4.4.5, Kontact with kmail and bogofilter, clamav, Korganizer, OpenOffice, packet-manager drakrpm, rpm, gurpmi and urpmi, drakconf, gparted/parted (for changing the partition-size even on USB-stick), software for repair, mplayer (i chose video: X11 (XImage/Shm) and audio: sdl SDLib audio output), mplayer-codecs, mplayer-codecs-extra, mplayerplugin, amarok, image viewer, gimp, gcc, gcc-c++, kwrite, fsck, rkhunter and chkrootkit, xskat, pysol, gnuchess and eboard with crafty (chess), shell-shock resident bash, bash-completion, konsole, xterm, many repair-functions and so on, mdv-i586-rpm-packages OR
of
at least 6 GB free partition or unformatted 5.5GB more mdv2010-software from installation-DVD out of all rubrics like gparted, system-monitors, system-tools and more programs for repair, wine and qemu (emulation), k3b and brasero, xscanimage, xsane, tesseract, gocr, cups, xine, totem, flphoto, gtkam, tvtime, zapping, dvbtune, jikes, kino, audacity, supertux, toppler, rocksndiamonds, ....
both free from porto the way back to you. Therefore you just have to put your USB-stick and 10€ protection-fee into an envelope to send it to our address, see
impressum. Before your order this, please test your BIOS, if it supports the booting with USB-storage-media (BIOS-boot-sequence and/or keys to determine the boot-sequence like F8), username: user and root, password: mandrivaone.
Reader discussion on netzpolitik.org, Opensource disconnect vs. proprietary Ghostery
chromax 29. JUN 2015 @ 20:42
Where do you know, if OpenSource-code refers to the compiled one? Still missing security…
Antworten
CrX 29. JUN 2015 @ 22:06
This question is of academic nature. Practitioner interest in the verficiation (indentically) of executable files and source code.
Therefore oneself compiles the Open-Source, if confident with it.
Antworten
skoam 24. SEP 2015 @ 10:09
This is immer the right question and an answer does already exist: Open Source can be compiled, in order to compare the build with the receipt executbale binary code. If the hash-sums (md5sum/shasum/file sizes) do not agree (that means differing), the executable code deals with code not listed by its source.
Why UNIX/Linux? Because I know it is opensource and the kind of its (almost german) programmers behind (book from Prof. Kersten and books from some other authors).
It always must be caviar? Tell us about any more secure distribution ever!
Gentoo Linux 12.1 2012 Live-DVD (x86_64 for 32 and 64 bit- and AMD64 forr 64 Bit-CPU) from
Gentoo.org, burnt 3,3 GiB ISO. The so called
meta-operating-system Gentoo is recommended by prism-break.org. It is bootable from DVD as much as installabe onto SSD/HDD by open-source-packages to compile in. You can also order already DVD-burnt Gentoo 12.1 AMD64 from us free from postage-fees for 10 €
Smartphones
In comparison with IPhone 6: This smartphone can something like no other one, Focus, 01.11.2014
For 12 US-Dollar only, it rivals with Apple or Samsung - with uncommon features. "Smartphone-the drug is real like everywhere. This handy does not pig up your dates, does not irritate you during concerts, does not disturb you in the cinema and cleans up the passways. The solutiion is found. With this promise, a user names quot;The NoPhone Team" of the Crowdfunding-platform Kickstarter his project. It is a handy like no other one and can do like no smartphone can. Namely... nothing. Perfect for the pockets of the trousers: its wireless design made of flexible plastic feels cool and real. "Just pull it out and hold it." The most signifcatn features are named by the manufacturers: no accu, no nerved updates, splinter-free, water-proofed. This project has it success: the No-Phone-Team wanted to collect 5.000 Dollar but accounted 18.000. With this phone, that can neither phone nor write SMS nor surf in the internet, should cost twelf Dollar. There is another "NoPhone"-version with selfie-function. This model has a mirror in its display and is distributed in the words: "Show your friends your newest selfie, if they stand directly behind you."
We do not believe much in honesty of the other ones in all matters: In regard to SAR-values, cases like Macolini and the feel of the "slap in the face" (probably metastasis) on the side of the handy taken from our section for News&Links and other cases, where magnetic influence was felt by second persons in the circumcirlce of more than three meters from the handy phoning, Gooken dissuades from all kind of wireless (mobile) phones except emergencies!
Two cameras, several microphones, a GPS-modulel and oodles private user data: smartphones are the perfect supervisory devices
Security export leaks out: Your smartphone can spy out - although you powered off everytjhing, STERN.de, 08.02.2018
Über GPS und Co. können uns Smartphones permanent überwachen. Zum Glück kann man die Funktionen aber abschalten. Ein Forscher erklärt nun, wie man diese Sicherheitsmaßnahmen trotzdem aushebelt - und warum das kaum zu verhindern ist.
Zwei Kameras, mehrere Mikrofone, ein GPS-Modul und Unmengen private Daten der Nutzer: Smartphones sind die perfekten Überwachungsgeräte.
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/datenraub--mit-diesen-7-tipps-schuetzen-sie-sich-davor-8521708.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/online/der-mann--der-uns-schwierige-passwoerter-einbrockte--bereut-seine-entscheidung-7577534.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/iphone-privatsphaere--mit-diesen-einstellungen-schuetzen-sie-ihre-daten-8522116.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/tv/gute-passwoerter-und-co---so-schuetzen-sie-sich-bestmoeglich-vor-hackerangriffen-8524324.html
How to make mobile end-devices secure: http://www.pcwelt.de/ratgeber/So-sichert-man-mobile-Endgeraete-im-Unternehmen-ab-FAQ-9582121.html.
This links origins from our section News&Links#computer#smartphones, CHIP, 26.12.2016: Android-security is one thing to take care of with fitting apps. With such apps you do not need to fear NSA, data robbery, viruses and Co. anymore. CHIP presents the apps protecting your android-handy in a perfect way.
Data-backup for Smartphones: Here are the best solutions for data-backup for Android, iOS and Windows.
ifixit: It is easy to repair smartphones - FOCUS Online.
10.000 mAh powerful monster-akku from Smartphone-Manufacturer OUKITEL, Focus Online 02.07.2015
Four times more powerful than Galaxy S6: This Smartphone has a akku-load durability of one week
The days of empty smartphone-akkus might be gone. The manufaturer OUKITEL plans the first smartphone with an akku-load of one week ...
See reports from our linkside: They are manufactured by perverts (Apple; see a report from our linkside), tiny displays bother the eyes, they radiate and cause serious hard accidents, while one can not care enough for IT security even around them: smartphones. Gooken primarily cares for the Desktop-PC. Therefore, before the (similar) use of smartphones and handies it is strongly recommended to have a look upon our linkside by clicking onto links or here, but remark, that the use of so
called-crypto-smartphones and crypto-mobil-phones can provide the needed protection up to the already endangering point of crypto- resp. supercomputers.
ZDNet / Mobile: Why Open-Source-Handies are the better smartphones, from Jack Wallen, 24. september 2009
Open Source provides the mobil market plenty of advantages beginning with the reducing of costs, more security up to many adoptable settings and a more productive development of applications. Do you agree, that Open-Source-devices are the better smartphones? Or does Apple, even Microsoft with Windows Mobile 7 win the fight for the market share? You can write a comment.
Hardware-Support: device-drivers, hardware-databasis
Kernel-4.20.13 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel 2.6.39 (mdv2010) with actual patches up to now from see our section for updates provides extended hardware support. But sometimes you just have to wait. So called "old" hardware must not be bad, the drivers are almost provided. Popular driver are already wtihin the kernel or kernel-modules. If missing in kernel-modules, belonging packages (rpm, deb) can be taken over into such modules. CPUs of mainboards consist of standard machine command sets that are already regarded in the package name like x86_64, i686, ia64, ppc, ppc64, ppc64le, aarch64, s390, s390x, arm, armhfp, sparc and so on, while the BIOS (BIOS-chip) on the mainboard should be socked, so that it can ordered, if malfunctioning. For the graphiccard you can use the UNIX/Linux-standard-driver fbdev or vesa. And the plugin of TFT-monitors is as simple as it can be in the case of postscript-printers by naming the belonging PPD-file out of (rpm) openprinting-packages, manufacturers or manufacturer-driver-CD. Start MCC, go to section "add a printer" and link to such PPD-file. Good to know, that USB is downward compatible. If the (W)LAN-chip does not work, a standard-PCIe- or PCI-ethernet-card helps out, until the packages or Tarballs for the driver are released in the internet, same for graphiccard and the onboard-soundchip.
Hardware for Linux, PC-WELT.de, 11.06.2019
Question: Is it guranteed, that hardware can be used for Linux for my PC, netbook and peripherals unrestrictedly?
Answer: To say it shortly: No. Here´s the long version of the answer: It takes a leap of faith. Hardware manufacturer seldom offer support for Linux. Basic components like graphik-, SATA- or Ethernet-chipset do not provide problems. But for printer, scanner, USB-TV- or WLAN-Stick, in many cases the driver CD does not include drivers for Linux. And even if, they just fit seldomely into the installed system. Notebooks are often restricted too. In some cases the brightness of the monitor screen can not be adjusted by key combinations or the power modes do not function like in Windows.
Therefore it only helps to get informed through the internet or by the salesman about notebooks and peripherals. There are salesman specialized for Linux like Tuxedo.
https://www.pcwelt.de/ratgeber/5-Fragen-und-Antworten-fuer-Linux-Anfaenger-10589209.html
PC-WELT.de, 01.09.2015:
"Find out compatible hardware before you order it
Whoever does not want to care for Linux-driver, one should check out the compability of the hardware before it is ordered. In most cases it is sufficient to start a search by searchengines with the name of the hardare device in combination with "Linux". One can also search in hardware-databasis. It es also useful to get informed by websites like http://wiki.ubuntuusers.de/Hardware with lists of hardware, that functions and tipps for their installation. Informationen about TV-cards and Sticks are also providid by Linux TV.
Of Linux should be installed on a notebook, http://tuxmobil.org or Ubuntu Wiki provide userful information. There are some manufacturer specialized for notebooks with preinstalled Linux like Tuxedo Computers, although such devices might be a little bit more expensive than Windows-notebooks."
After an upgrade of the glibc from mdv2010 to rosa2014.1 or mga3 a hugh repertoire of driver-packages and -tarballs are provided for even actual hardware.
Such companies do provide drivers for Linux:
Graphic cards: Intel, Nvidia, AMD
Printer and scanner: Epson, HP, Intel, Samsung, Brother and Canon
Hardware databasis and hardware support:
http://openprinting.org for Ghostscript- and the PPD-files of postscript-printer
https://de.opensuse.org/Portal:Hardware
http://wiki.ubuntuusers.de/Hardware
http://linuxtv.org/wiki/index.php/Hardware_Device_Information
http://community.linuxmint.com/hardware
http://tuxmobil.org/
https://wiki.ubuntu.com/HardwareSupport/Machines/Laptops
http://www.tuxedocomputers.com
http://wiki.ubuntuusers.de/Drucker
http://www.pcwelt.de/ratgeber/Uefi-statt-Bios-Das-muss-man-beim-Linux-Boot-beachten-Von-USB-und-DVD-9715238.html
http://wiki.ubuntuusers.de/Scanner
A detailed report about the hardware-support of drivers is provided by the following article: http://www.pcwelt.de/ratgeber/So-bringen-Sie-Linux-trotz-Probleme-zum-Laufen-9789269.html.
If a driver is still missing, he can be buid (constructed) by any user. Several howtos can be found in the internet. For the printer packages lke cups-ddk are released for cups.
X11-server-troubleshooting (graphic card): see our section for "updates"
Printer-Troubleshooting: see our data sheet, section printer
Lacks in security
"The way is the target" are the well-known words from our precedent security-manager Konfuzius (...), that made us write here so much. Our main aim is to drag him out of the computer-scene for IT security and, who is awake enough, even forever! Together with the checklist it is proofed, that computer technology must not be nonsens, even if it is meant so and even if there is nothing really secure in this world, because of the race of the safeendangering with the secure and the certain kind of human behind this scene. Computer-history of nowadays with the typical constitution of software in intransparent „pirate-black“ binary machine-code, unlucid amounts of versions and distributions have shown some more (responsible) difficulties in satisfying claims for achieving real protection for the jack of all trade. Smartphones, notebooks and so on are only mentioned on our linkside. MG Chip: "The combination of raster-electron-, raster-Auger- and raster-plammet-microscope is cracking any kind of chips, however signed secure from manipulation". Serious hard cases of system-self-destructs can not be excluded. But resignation does not help. Nevertheless the aim in general of this excursion is to provide computer-systems with almost no lacks in security at all, and therefore (quit) without any scans from hard-disks by any scan-software. By following the excursion,
your UNIX-computer will be freed from all (!) problems with the computer quit at once like (... ever seen so much red in your documents?)
proprietary software (opensource against liablity, more clearance of question about liablity), cost-traps (here: billing by handies and SMS, overread of additional parts of contracts and the conditions), blackmail for unlocking suddenly locked computers (see our report under links), abuse of copyrights and patents, cult for criminals, billions hard investment into spying software and techniques, missing, confusing or the fluctuating IT-security-concept, hard-disk-scans, defragmentation (unnecessary for many UNIX-file-systems), harddrives (instead of MC-SSD, cite: "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant." (source: poshtar@datensicherx.com, 13.05.2014)), the demand for a registry, registry-errors (UNIX-systems have no registry), degeneracy of the registry, suddenly or inpredictable lost files, explosion (of net-adapter), fire (net-adapter, porous PC-lautspeaker-cable, ...), your own ununderstandable blackened company (enlighted by our PHP-MySQL-company management Mycompanies), virtual blackmail by encrypting harddrives against ransom, shooting through unmanned flying objects as a technical response to stored data, kontermination (through chipsets, preventable by IGP and all-in-one-mainboards) and radiation, WLAN-radiation (see our linkside), CRT-radiation, CD-burner-radiation, netadapter-radiation, warning high SAR-value (handies), zero-emission (reflectable monitor emissionf or example by special PCMCIA-cards prevented by special editors like the zero emission pad), hardware-recognigtion (standarized driver, Kernel ver. greater 2.6.30), infiltration of social networks, handy-hunts through nets, inconsistency (vs. everlasting science), need for upgrades (new tarballs, zip-archives, functionality), updates, patches and bugfixes (vs. functionality), browser with outdated ssl3.0 (modern usage is provided by TLS), changeovers to different security software, missing changelogs, software-overload on harddisc (Opensource, independency-checks, other introduced methods), hacker (STATE-NEW lined iptables-blocking), large holes in firewalls (iptables block-rate), intrusion and valdalism, viruses (access-rights of UNIX-filesystems), freak (patch or prefer browsers like Firefox or Konqueor instead), abuse by virus scanner (standard opensource clamav), worms, rootkits (rkhunter) resp. botnets and trojans (no botnets and no trojans by correct usage of the OWNER-concept of iptables), manipulation by system-administrators upon software, files and configurations, ddos-attacks (almost on the base of bots and trojans), inactual alarms, false-alarms, forgotten or coded warnings and error-messages, ad- and spyware as much as Trackingscripts (firefox-addons), Driveby-Downloads, Canvas Fingerprinting (see under online check), forced acquisition because of truncated customer support for old operating systems (lifetime installation-support for all mdv/mdk over "pointed 1-" to "pointed 0" versions), product-manufacturing fault right on the surface of installation-CD/-DVD, aggressive marketing, need of updates and upgrades instead of functionality, unknown authors behind the named, burn-errors, problems with the BIOS and during the system-startup resp. boot, flush and reset, intransparent boot-processes, hard undestandable process-names (partial standarizement by UNIX/Linux), unmushed nets (failsafed mushed nets), video- and voice-recording, judge-microphons, observing satellite technique (see under links), spanish flies, night viewers, evaluation of such recordings (audit, protocolling files), text- and image-manipulation, manipulation of websits by webhoster, instability, system-breakdowns, broken USB-Sticks (secure umount and never before, fsck), usage of USB-hubs instead of prolonging USB-cables only, manipulated electric meter and cables (UPS: unbreakablel power supply), ineffective encryption through non scientific based cryptograhic methods from highschools, the search for important function-keys,iweak point human, insufficient set of (security-) system-commands, hangons and newstarts, anomal login attempts (LADS - login anomally detection system), inactual alarms and warnings, installation of malware by the opening of e-mail-attachements, unsigned installation from anywhere, installation by everyone, inportability, defect peripherals and hardware, restricted presentation of websides, keylogger and other malware, wiretrapping bedbugs (from USB-cards and other devices), hack of sensible data from USB-sticks through their microcontroller, crack of WLAN-encryption-keys, spy-nets, false email-sender-addresses (disabled browser-cache, header of email-source-text, digital signatures by public signature-keys, de-Mail), DoS-attacks, root-rights providing buffer-overflows (bugs),
aggressive marketing, missing warnings of the BIOS during overheatings of the CPU and from the inside, malfunction of USB-memory-sticks, intransparent boot-procedures without detailed information, long boot-times, weak-point-human (as a title of a contribution from a newsgroup), hard to understandable files and processes by name, side-manipulation and censorship by webhosters, need for additional software for example for ftp-transfer, use of harddiscs instead of durable and less power-consumpting (MLC-) Solid State Disks (SSD), installation of malicious software by opening attachments from e-mail, need for external graphic- and sound-cards (IGP, onboard integrated graphic- and sound-chips), software from unspecified sources (integrity checks, checksum), installation by any users instead by users with special access rights only, cloud computing (by avoiding storage onto foreign media, extern harddrive, USB-memory-stick), bad cable connection, listenings in to WLAN, cracks of WLAN encrypting keys, illegal access into WLAN-access-points, broadcasting bedbugs from USB-cards or other devices), lack of test reports and exchange of experiences (datasheed and test-forums), low duration of batteries and akkus, unknown details of OS-kernel bad or low encryption, encryption by elsewheres cryptographic methods instead of those checked resp. developed by high-schools, bad or low encrpted instant messaging (OTR, ...), manipulation of files like out of /etc/security/msec (FDE, FSE for full disc and full system encryption), file-encryption), vandalism "you can power off your computer now!", insecure passwords, inpredictable exhaust of passwords, amount of passwords (kwallet and relevation), visiblity of files storing passwords (steghide), bad adhere to deadlines, intimelineness, forget of the sourrounding (dating planner, countdown clocking, scheduler, task scheduler, ntp-daemon), burn error on CD/DVD (noflushd), inportability, unmashed nets (failsafe mashed), security endangering security software, missing software, incomplete set of (security-)system-commands, instabilty (breakdowns, blackouts and hang-ons, Alpha-Beta-software-developement stages, ...), release of authorizing root-rights, hacker, smashed wholes into firewalls, viruses, worms, rootkits (rkhunter) resp. trojans, dialer, hoax (watching out for the sender), false alarms, anomal attempts to login (Login Anomaly Detection System like LADS, delays after false-logins, commands to list logins and login-times, risks of WLAN (many single security operations have to be performed), security lacking file-systems, restricted file-systems (capacity of copied files, sytem dependencies, looking out for important function keys (BIOS, security modes...), inpredictibale deletion of files from anywhere, inpredictable remote maintenances, changing of fundamental configurations and settings, need for a registry, registry-errors, Entarten and Verwaisen der Registryeinträge, capacity restricting zombies, adware, popups, tracking scripts, ad- and spyware, online registrations for the release of software, spy-nets, intransparent connecitions over foreign net-nodes ( traceroute-command tcptraceroute see News&Links#Computer ), DoS-attacks, click-ping-tracing, cookies and Third-Party-cookies, supercookies, informing browser-chronicle, ABE, cross-side-scripting, operating time with akku/batteries, suspicious plugins, encryption cracking supercomputers, restricted presentation of websides, censorship depending of the true aims behind, spam (Spamassassin), spam-entries (Captcha), scam, missing option resp. missing command for even foreign notes through the net registrating traceroute (comannd tcptraceroute), read and writes from harddiscs by other parties, phishing, dialer, dissuasiveness, need of upgrades, errors and mistakes, missing software, registration, forwardings and therefore profiling by search-engines and depreciation, pass of hugh server-farms and advertising-networks, personalized advertisment, profiling, identifying ua-browser-answerback (see our online check) resp. IP, static new IP-adress-room ipv6, identity theft, pre-punishment-registration (cybermobbing), bad support, maintenance, bad sectors and file-systems with errors resp. the long time for their repair, capacity-resctriction of file-systems during file-transfer, bad encryption, online speed-blocker, editors (programming) without syntax-highlighting, missing log-files for protocolling, wait-states, needs for many drivers, more than hard to understand names for system-files, processes and errors, hard to understand names for processes and files, support for children and disabled (input-support and other programs like dasher, mouse-tweaks, speech, squid-guard, window-manager like LXDE and XFCE, ...), problems typing in by the ten-finger-system (missing keyboard), manufacturing faults on CD-surfaces (MS 98/SE), insufficient or bad tuned software-components and the risk of their dependencies, need for additional software like for ftp-transfer, old concept of magnetic hard-drives instead of long-durationed, specific natural durabilities for the storage, fast working and powersaving Sold Sate Drives (SSD), need of repair, (extern) graphic-, sound- and ethernet-cards (all-in-one boards, ideally with CPU, cooler and RAM) as a contribute to the enburdening of net-adapter to prevent open fire and explosions, 1000-Watt-PC, 65-Watt-CPU, techical reconstruction of direct debit mandates, missing delivery of online-ordered goods, especially from foreign countries and in cases of a too low amount in controversy, different device-interfaces (well known solved by downward-compatible USB), the disperse resp. page of the security-concept, waste of ressources, waste disposal problems, intern self-destructs, write-offs, science pocketing software-companies, costs for acquistion, licences, training, additional costs, difficulties or bad handlings, ...
... "in West Nix Niue (not new)" ...
with alternatives from our data sheed now all at low cost on the ground of power-consumption like energy saving lamps!
Data Protection
Windows 10: Deactivated funtions do send data to Microsoft, http://www.pcwelt.de/news/Windows-10-Deaktivierte-Funktionen-senden-Daten-an-Microsoft-Datenschutz-9781744.html
Other person do in the best case thinkable even not know, if you possess a computer at all, neither by IP nor DNS nor they know about your installed operating system resp. operating systems, installed software and files!
Although only human failures can cause errors during the installaton of mdv2010, some errors can happen. There is an amount of error-messages of mdv2010, that do not help troubleshooting, some are missing. Therefore we recommend a second SSD for the backup of every important installation-state of the first one. Then as many packages can be installed on the SSD as the user likes and ever needs without lacking in system-security, if you are installing operating-systems like mdv2010 with packages totally sized over 65 GB!
Survey of the internet node: DE-CIX sues BND, Tagesschau, 22.04.2015
The BND is taken into response before law for his surveys of the net-node DE-CIX in Frankfurt at Main. The holde of the node is going to sue. Criticizer do also sue the government for making tricks. Arond thre terabit data per second are passed and overworked, an amount of 600 CD-Rom. To the customers count all big internet companies like the Deutsche Telekom, Vodafone and Verizon, more details see Links, section "NSA, GHCQ & Co.".
Prism.break is right to recommend both alternatives (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets.
The british agency GCHQ were very successfull in cracking code.
prism-break.org: "With proprietary software, you need to have 100% trust in the vendor because there´s nothing except for their morality in the way of them leaking your personal information. Even if you can vouch for their integrity, proprietary software invariably has more uncaught security bugs and exploits because there are fewer eyes examining the source code."
prism-break.org, 2014: "Apple, Google and Microsoft are probable part of PRISM. You can not trust their proprietary operating systems in the matter of keeping sensible data safe from NSA.
Two alternatives do remain: GNU/Linux and BSD.
GNU/Linux has a much hugh community than BSD in order to help us for the change. It is recommended to search for a proper GNU/Linux-distribution fulfilling the requirerments."
PCWelt.de, 19.10.2015: "BitBox BitBox is a browser-in-the-box - a virtual environment, in order to secure the internet to make it more comfortable during the surfing. This virtual machine with a separated webbrowser protects in front of dangers, for example the rebuild resp. modified browser Dragon from the antivirus expert Comodo. His appearence reminds of Google Chrome, but Dragon is constituted to be more stable and thanks the privacy mode this browser is able to stop serious hard cookies. The inspection of SSL-certificates is more precise. Whoever wants to keep his browser save before the rest of the PC, likes to prefer BitBox - a browser-in-the-box. The developers of BitBox, the Bundesamt for Information Security (BSI), has put their browser into a fitting virtual
Linux-environment. Linux has got some advantages in comparison to Windows - there are only a few "varmints", known for this operating system offered for free. So you use a virtual Ubuntu for a surf-system resp. for online-banking. A virus scanner is not required anymore. Tip: Alternatively use Wubi.exe, in order to install Ubuntu beneath Windows. This small file installs Ubuntu beneath Windows on the harddrive. When the system starts, the system is chosen. In this case, a virtual box is not needed anymore."
On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they´´re vulnerable. In addition to browsers, many mobile apps, embedded systems and other software products also use TLS. These are also potentially vulnerable if they rely on unpatched libraries or offer RSA_EXPORT cipher suites.
Vulnerable Browsers are Internet Explorer,. Chrome on Mac OS, Chrome on Android, Safari on Mac OS, Safari on iOS, Stock Android Browser, Blackberry Browser and, Opera on Mac OS.
Firefox (Windows, MAX, Linux) and Konqueror (Linux) are not affected, see freakattack.com for more details.
Tagesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks.
prism-break.org: "We recommend MC-based SSD instead of magnetic harddrives, "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant" (source: poshtar@datensicherx.com, 13.05.2014)) (similar to magnetic hard-drives, in order to keep the very fast access-times of a SSD, at least 4 GB memory should be kept free, comment, the Red.)
Legend end: Microsoft ends up with Internet Explorer, Focus, 18.03.2015
New browser past 20 years
After two decades a legend of the internet died: Microsoft actually develops a new browser, in order to exchange the Internet Explorer. For the next time, his name is "Spartan" - and he shall have nothing to do with his precedor.
Tagesschau, 28.04.2014: Vulnerabilities of the microsoft-browser
USA dissuade from Internet Explorer
In Microsofts Internet Explorer, market share more than 50% (2012, studie web-analyzators from Net Applications), vulnerabilities past the date for support fof XP (08.04.2014) were found, that do still exist. The US-government advises to use other browsers for the next time. There would be so much difficutlies in the Explorer-version six to eleven, that hacker can cause enormous harm, warned the ministry of home country protection. Problems are known since the weekend. Microsoft told, to do something against them. The vulnerabiltity would cause in wrong programmed memory-accesses.
Prepared websites, that user of the internet-explorer call, could provide access for attackers to the computer, in order to execute mailicous code and take control upon the computer. The vulnerabilty already is effectively in use. It is the first serious one, since the support for Windows XP ended. Therefore it could still exist for PCs with the 13 years old operationg system regardless from Microsoft having solved the problem.
In News&Links we describe, howto make an Internet Browser of MS Windows upon the base of a Debian-sandbox secure, downloadable for free.
Internet-Gang robbs one billion dollar from banks, Focus, 15.02.2015
A bank robbery in the internet-century were made in that way: A Gang broke into in computer-systems of credit institutes and manipulated even account balances. They would have get any amounts of money from cash automates they liked.
Focus 2015:
Antivirus-scanner promise allround-protection for the computer and to make the surfing online more secure. But in the half of all cases, they can not defend cyber-attacks.
Tagesschau.de 11/2013: Appelbaum from Wikileaks sees opportunities for effective encryption. Therefore free and open source were needed. Not all encryption were the same, not all companies have been confidential or can be trusted.
Tagessschau, 11/2013: Wikileaks sees opportunities for functioning encryption. One needs free and open sourced software. Not each encryption were secure, not all companies were trustable. Wikileaks hops for concete methods against. For expample, if an attorney were proclaiming trust on telephone, although he did not use an encrypted telephone, one should call careless.
Tagesschau, 10.03.2014, cite Snowden: "If you encrypt your hardware and connections within nets it is much more difficult to collect your data by mass-wise-controlling software. Of course, such data can be cracked resp. hacked for special surveillance, but remain more secure. The best proof would have been delivered by his encrypted kept own documents sent per email." ( two encryption can be made for e-mail-transfers: one of the text-includes of e-mails by pgp-gpg, one by pop3s and smtps (TLS) for the belonging connection to the pop3- and smtp-server).
WLAN-Router
Router-Sicherheitstest 2020: AVM, Asus & Co. im Vergleich, PC-Magazin.de, 16.6.2020
Welchen Anteil haben verbreitete WLAN-Router am Schutz des heimischen Netzwerks und seiner Nutzer? PC Magazin und das Sicherheitslabor AV-Comparatives sind dieser Frage in einem umfangreichen Test nachgegangen.
https://www.pc-magazin.de/vergleich/router-sicherheitstest-2020-3201633.html
Viele WLAN-Router von Sicherheitslücke bedroht: Nutzer sollten bestimmte Funktion besser abschalten, CHIP, 28.05.2020
IT-Spezialisten haben eine schwerwiegende Router-Sicherheitslücke entdeckt, die offenbar eine ganze Reihe von Netgear-Geräten betrofft. Über die Lücke können sich Angreifer unbemerkt Kontrolle über die Router verschaffen und dem Nutzer so manipulierte Updates unterjubeln. Wie Sie sich davor schützen können, lesen Sie hier. Worauf es beim Kauf eines neuen Routers ankommt, erklären wir Ihnen im Video.
Die Sicherheitsforscher des IoT-Labs der FH Oberösterreich sind auf eine eklatante Sicherheitslücke beim Netgear-Router Nighthawk R7000 gestoßen; offenbar sind auch viele weitere Modelle gefährdet. Das Problem: Der Router bezieht Firmware-Updates zwar verschlüsselt - dabei wird von den Geräten offenbar jedoch nicht das jeweilige Serverzertifikat geprüft. Dadurch ist es Angreifern grundsätzlich möglich, manipulierte Updates der Firmware auf dem Router zu installieren. So können sich die Cyber-Kriminellen potentiell Kontrolle über die Router der Nutzer verschaffen.
Sind einzelne Dateien beziehungsweise der Update-Server selbst gerade nicht verfügbar, kann es sogar dazu kommen, dass die Router bei der Installation gänzlich unverschlüsselte Protokolle nutzen, um die Updates zu installieren, was Angreifer ihre Attacken noch leichter durchführen lässt. Hinzu kommt, dass digitale Signaturen vor dem Update-Prozess nicht überprüft werden. Das führt dazu, dass die Router auch manipulierte Updates installieren, ohne dass dies vom Gerät erkannt wird. Sowohl der automatische Update-Prozess als auch das Update via Assistent im Web Interface sind offenbar von der Schwachstelle betroffen.
Eine offizielle Lösung seitens des Herstellers gibt es bisher nicht: Wie die Forscher der FH Oberösterreich schreiben, habe sich Netgear seit Ende Januar nicht mehr zu dem Problem geäußert, geschweige denn einen Work-Around via Update ausgerollt.
https://www.chip.de/news/Viele-WLAN-Router-von-Sicherheitsluecke-bedroht-Nutzer-sollten-bestimmte-Funktion-besser-abschalten_182735284.html
Router-Sicherheit: Virenforscher warnt vor Angriffen über den Browser, Spiegel Online, 26.05.2015
Über manipulierte Websites lässt sich die Konfiguration diverser Router ändern, warnt ein Virenforscher. Weil die Geräte fortan Anfragen auf gefälschte Internetangebote umleiten, haben Kriminelle die Chance, Passwörter mitzuschneiden. Einmal falsch geklickt, schon macht der Router Ärger: Eine raffinierte neue Attacke nutzt die Schwachstellen gängiger Modelle aus, Unbekannte stellen dafür mit Schadsoftware verseuchte Webseiten ins Netz. Der unter dem Pseudonym Kafeine bekannte Sicherheitsexperte beschreibt auf seinem Blog das Problem, das mindestens 40 Modelle bekannter Hersteller gefährdet, darunter Geräte von Asus, Belkin, D-Link, Linksys, Netgear und Zyxel. Fritzbox-Router tauchen nicht auf der Liste auf. Die Angriffe, die Kafeine beobachtet hat, verlaufen nach folgendem Muster: Nutzer von Googles Chrome-Browser werden zu einem Server umgeleitet, der Schadcode enthält. Dieser versucht, das Router-Modell des Nutzers zu bestimmen, um dann die DNS-Einstellungen des Geräts zu ändern. Das Domain Name System, kurz DNS, wird oft als Adressbuch des Internet bezeichnet, denn es funktioniert ganz ähnlich: Gibt der Nutzer im Browser eine bestimmte Web-Adresse ein, geht die Anfrage an den Router, der dann mithilfe eines DNS-Servers die passende IP-Adresse nachschlägt. Gelingt es einem Angreifer, sich mithilfe eines manipulierten Adressbuchs in diese Kette zu schalten, kann er dem Router andere IP-Adressen unterjubeln und den Nutzer so auf gefälschte Websites lotsen. Kriminelle könnten etwa die Startseite einer Bank nachahmen, um die Log-in-Daten abzugreifen, die auf der gefälschten Seite eingetippt werden.Fast eine Millionen Zugriffe an einem Tag: Unbekannten Angreifern ist kürzlich offenbar eine solche Umleitung von Seitenaufrufen gelungen - und das massenhaft: Ein von Kafeine beobachteter DNS-Server konnte in diesem Monat bisher täglich rund 250.000 Zugriffe verzeichnen. An einem Tag - dem 9. Mai - waren es sogar fast eine Million Zugriffe, schreibt der Virenforscher. Die Angreifer gehen clever vor: Als sekundären DNS-Server nutzen sie Googles öffentlichen DNS-Dienst, was bedeutet, dass die Betroffenen auch dann Seiten erreichen, wenn der Server der Angreifer einmal den Dienst verweigert. Bemerkenswert ist, dass offenbar nicht nur Router gefährdet sind, deren Fernwartungsfunktion aktiviert ist. Der beschriebene Angriff erfolgt Kafeine zufolge durch eine sogenannte Cross-Site-Request-Forgery (CSRF), mit der ein Browser gezwungen werden kann, Aktionen auf fremden Webseiten auszuführen. Ziel des Angriffs ist die Administrations-Oberfläche des Routers. Auch wenn sie von der Fernwartung abgekoppelt und eigentlich nur im lokalen Netzwerk verfügbar ist, lässt sie sich attackieren, da Router im Gegensatz zu Internetseiten oft nicht gegen CSRF-Attacken geschützt sind, schreibt "Computerworld".
Wie kann man sich schützen?
Die von Kafeine veröffentlichte Liste betroffener Geräte ist vermutlich nicht vollständig. Nutzer sollten daher - unabhängig davon, ob ihr Router zu den genannten gehört - prüfen, ob die Firmware Ihres Routers auf dem neuesten Stand ist und sie gegebenenfalls aktualisieren. Die Cyberkriminellen machen sich mit diesem Angriff nämlich vor allem die Bequemlichkeit der User zunutze: Einen Router konfigurieren viele Nutzer nur einmal, danach kümmern sie sich nicht mehr darum. Wie wichtig regelmäßige Firmware-Updates gerade für diese Schnittstelle ins Internet sind, hat erst vor einigen Tagen die NetUSB-Lücke gezeigt.
Passwörter von 500.000 WLAN-Routern geleakt: Das sollten Nutzer jetzt unbedingt beachten, CHIP, 21.01.2020
FritzBox Firmware Update: So einfach geht die Aktualisierung
Hacker nutzen WLAN-Router und Server, um Botnets aufzubauen. Nun wurden die IP-Adressen und Passwörter von über einer halben Million Geräten frei zugänglich im Netz veröffentlicht. Doch es gibt Maßnahmen, die jeder Nutzer jetzt ergreifen kann. Zum Beispiel ein Update. Wie Sie Ihre Fritzbox am besten updaten, erklären wir Ihnen im Video.
https://www.chip.de/news/Passwoerter-von-500.000-WLAN-Routern-geleakt-Das-sollten-Nutzer-jetzt-unbedingt-beachten_179776444.html
Router updaten: Bundesamt warnt vor Sicherheitslücken, PC-WELT.de, 07.01.2020
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt Besitzer von D-Link-Routern vor einer Schwachstelle.
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt aktuell die Bürger mit zwei technischen Sicherheitshinweisen der Risikostufe 3 und Risikostufe 4 vor Schwachstellen in WLAN-Routern des Herstellers D-Link. Die erste Schwachstelle ermögliche die Offenlegung von Informationen. Die zweite Lücke ermögliche das Ausführen von beliebigem Programmcode.
https://www.pcwelt.de/news/Router-updaten-Bundesamt-warnt-vor-Sicherheitsluecken-10732250.html
Typische Probleme am Router lösen, PC-WELT.de, 10.09.2019
Wenn selbst bei schnellem DSL Streams stocken oder Internettelefonate abbrechen, helfen die richtigen Einstellungen am Router.
https://www.pcwelt.de/a/typische-probleme-am-router-loesen,3449919
Kein Zugriff auf 192.168.1.1? So klappt das Router-Login, PC-WELT.de, 18.03.2019
Trotz Eingabe der IP-Adresse 192.168.1.1 oder 192.168.2.1 im Browser klappt das Router-Login nicht? Wir bringen Sie in 7 Schritten ins Router-Menü.
https://www.pcwelt.de/ratgeber/192-168-1-1-so-klappt-das-Router-Login-9638280.html
Browse: Therefore always try to turn http:// -> http
s:// (ssl) in the address-line of your browser manually, before the URL of the webside is entered! Favorites should contain only such URL too. Notice, that a ssl-certificate of the webserver resp. webhoster is not present in all cases!
JonDoBrowser: Anonymous Firefox-replacement, still beta, CHIP, 14.09.2012
The JonDos GmbH (University Leipzig) accused Firefox for having built-in functions, that are harmful for data protection. Therefore their developers released the (together with Jondo) anonymizing JonDoBrowser Beta for free, http://www.chip.de/news/JonDoBrowser-Anonymer-Firefox-Ersatz-mit-Macken_57527151.html.
Jondofox - Firefox with condom
Download Jondofox: http://www.heise.de/download/product/jondofox-58547/download
We, Gooken, introduce a list of security browser on News&Links#Alternatives#The-Green-LED#BrowserCharts For installing Jondobrowser, set the path to the firefox-profile in the installation script of Jondofox manually to /home/surfuser/.mozilla/firefox. The inegration follows right past the start of firefox. Never install addons not basing on Open Source. Jondobrowser´s integration of Add-ons like https-everywhere should, as described, also be seen critically.
Freak: "Freak"-Sicherheitslücke: Auch Windows betroffen, 06.03.2015,
Mit einem sogenannten "Freak"-Angriff wird es Dritten möglich, eigentlich geschützten Datenverkehr zu entschlüsseln und womöglich persönliche Daten mitzulesen. Diese Betriebssysteme und Browser sind betroffen.
Am vergangenen Dienstag wurden Informationen über die sogenannte "Freak"-Sicherheitslücke öffentlich gemacht. Durch diese können Dritte Daten aus eigentlich geschützten SSL-/TLS-Verbindungen abgreifen. Damit dies aber tatsächlich möglich wird, müssen bestimmte Kombinationen aus benutztem Webbrowser und verwendetem Betriebssystem gegeben sein. Grundsätzlich sind Android-, iOS-, Windows-Phone-, Windows-, Mac- und Linux-Nutzer gefährdet. Zum Ausnutzen der Lücke müssen zudem Webseiten mit einer geschwächten Verschlüsselung angesurft werden, wie auf.
During a normal browsing with MS Windows and MAC, focus 31.08.2014
Danger in the internet: the unvisible drive-by-download
Infections by drive-by-downloads are very perfide. During the surfing in the internet, malware of infected websites can be loaded onto the computer without the possibility to notify it - article by FOCUS-Online-expert Marco Preuss
Stern.de reports in April 2014 about adobe-flash-player with security-lacks that can lead into trojans finding out password and credit-card-information. Updating this software is strongly recommended, same for Java. With UNIX-Systems updates, patches and bugfixes can be be performed from their original sources and that means immediately with the date of their release as much as in the following example:
Checksum helps to prevent the download of trojans out of the internet.
Inceasing amount of data theft, Tagesschau, 07.04.2014
As IT-security-experts tell among other things in conjunction with lacks in security of OpenSSL, In year 2013 data of more than half billions internet-users have been stolen as a result of online-attacks. 552 million identities are involved, as told by a security-company about six × more than 2012.
Sueddeutsche.de, 21.12.2014 tells in a report, that you still can not trust cloud computing and the own data on other far-away-server. We believe not only in security risks of cloud computing, but also in data receiving consulting companies from there. Inspite of our excurs, on the base of some other operating systems there still were a need for security experts in 2014!
Tageschau, 28.04.2014 reports about actually found out one more serios hard security lack in Internet Explorer 6 up to 11 (market share value more than 50 %, 2012, .netApplications), so that XP, no further updates available since 04.08.2014, still has to be updated and even USA advised to use other browser by so called country-protecting organizations. The troubles caused by such Internet Explorer versions would have been such big, that hacker could do harm a lot. Since the last weekend, Microsoft is looking for solutions. The security-whole conisted of a buggish memory-access that enabled users using the IE to gain access to computers to execute mailicious code and to gain control over the computer. This security-lack would have been already taken in use.
AOL email-accounts including security-requests also would have been hackened.
Yesterday Apple Apple warned against data theft due to a lack in security in OS-X. If an attacker is provided access to the same network as other users - for example the usage of abad protected WLAN-connection of a restaurant - he could be able to access data from email-transfer and other communication procedures (protocols), that should have been encrypted instead as already mentioned by Edward Snowden, his former organization would already have taken advantage upon it..
Not much can be done against fake accounts in the name of identity theft of oneself in the internet except by law. One should register oneself in the most popular social networks like facebook to make a contribute to avoid it. Such account should be suited with as few sensible data as possible and be visited regulary in this sense of maintenance.
We, Gooken, also notice, that norisbank (Deutsche Bank) gots certified many times for online banking by german certifiers like "Stitung Warentest", although, as Tagesschau reported, states do invest billons more or less against such this security of encryption! In such cases UNIX-commands like "tcptraceroute" can provide users some important facts about such online-connections (as00.estara.com). Instead OpenSSL should strongly be updated from
openssl.org at least to version >= 1.0.2d past 07.04.2014 ... as part of our DVD-2 mdv2010.0-updates!
Such red marked text does not come to an end on our webside "News&Links", if it were not enough red... . Please click here!
The essential Idea: "PC-refrigerator" through airodynamic
might origin not from us, but is to do everything right at the beginning. Not software, but the exemplary, power-saving and therefore the net-adapter enburdening hardware depicted in our data sheed stands in the middle of interest here. To be more concrete, we talk about the computer tower itself, where everything should prepared for best air-cirulation. This cooling box (hardware-refrigerator) makes it possible to cool down warm air 3 up to 10 degree;C. All you need are one or better two cooler, one for the incoming air right up at the bottom of the front of the tower and one more for at the top of its back for the leaving of the air in a quit fast way. Therefore do not forget to seal the rest of the tower using plastic foils and adhensive tapes. Not only the circulating air but also the metal of the walls of the tower do also have the specifiation to increase the cooling of the inside. If possible, also follow the tip from fr2.rpmfind.net, where the tower of the server system consists of half-cylindered metal plate between the two coolers upon the mainboard. Screen resolution and screen repition rate should be set to "auto" following an almost large rate between 59 up to 95 Hz and higher. Now, the eye-friendly graphic chip can show what is performance especially during extrem burdening play of opengl- and sdl- based computer-games-scenes, while the stable hardware might do its work forever too.
Mandriva Linux 2010 - The Calming
Therefore you almost need:
2 SSD at least a 128 GB or 1 SSD or 1 (external) harddrive of thecapacity of at least the installation-SSD or -harddrive for the restauration and the backup
1 USB-memory stick with a command dd and the partitionmanager gparted providing rescure system, Mindi, Mondo or a DVD with Knoppix (that you can download out of the internet), best, following the manual howto install on harddrive, such Knoppix on a separte, small, greater or equal 250 MB partition on the installation-SSD or harddrive and
1 directory for all the already installed packages.
See, how Linux is prepared for the endurable mouseclick-fast work with SSD:
Linux tips & tricks
Linux ready and optimized for SSD: http://www.pcwelt.de/ratgeber/Linux-Special-SSDs-unter-Linux-6593528.html. The text of this webside is in german language, so we summarize, that we recommend the full-installation of Linux on SSD. Important seems to be the ability to trim the SSD, what can be checked out by the command "hdparm -I /dev/sda | grep -i TRIM". In /etc/fstab
noatime,nodiratime,data=writeback and eventually option
discard should be set for the root-, home- and the temporary partition, for SWAP use commit=0,data=writeback,discard. commit stands for the period, data are written out of the cache onto SSD. Do not set it too high, not above 600. The last thing for the SSD to make work
mouseclick-fast is the installation of the rpm-packages hdparm and sdparm for el7. Following an instruction for Debian, also set in /etc/crypttab the option "allow-discards" for dm-crypt and in /etc/lvm/lvm.conf the option "allow-discards" for LVM (we resigned from LVM), for Btrfs-filesystems also set the mount-option "ssd" in /etc/fstab.
The read-access-time in MB/s can be find out by "hdparm -t /dev/sda" and
one more test still uses both options -t and -T, but also option --direct ("Use O_DIRECT to bypass page cache for timings"), what leads to direct read without page cacheing. This test is almost used, as the pure data flow to the SSD within two resp. three seconds is measured: "hdparm -tT --direct /dev/sda"
Check, if the started kernel does already recognize the SSD: cat /sys/block/sda/queue/rotational
If zero resp. 0, he does! If not, please follow reports like https://wiki.ubuntuusers.de/SSD/Scheduler/
Following this report, the IO-Scheduler can be chosen: noops, deadline or CFQ. cat /sys/block/sda/queue/scheduler shows the activated one in edged brackets. After performing tests like above, choose the right one, that is almost noops, especially deadline by Grub (analogous Grub2) entering in /boot/grub/menu.lst the option "elevator=deadline" past the kernel-options beginning with kernel=... and past ro resp. rw .
The Firmware-version is named by "hdparm -iv /dev/sda"
For TRIM-supporting SSD "discard" can be set not only in /etc/fstab and allow-discards not only in crypttab, but for ext4 also by command tune2fs:
| tune2fs /dev/device-filename resp. ( in the case of LUKS-encryption) tune2fs -o discard /dev/mapper/container_filename |
This command makes the "durable" activation of the SSD-TRIM by option "discard" without blockings much more possible
Universal-Linux BULLET-PROOF: Root-partition read only
For the Root- and Home-Partition depending on conditons, we also can set the ro-Option for read-only, if we do not want to install and update anyhting anymore, do this by following the conditions of the arcticle from http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/, https://wiki.debian.org/ReadonlyRoot, http://www.linuxfromscratch.org/hints/downloads/files/readonly_rootfs.txt and http://www.logicsupply.com/explore/io-hub/how-to-build-a-read-only-linux-system/ . Even think about the deactivation of the journalling of reiserfs by option "nolog", that keeps the SSD from writing journals (that means logs of the last stable (error-free) state before errors occured, in order to restore in error-cases). More or less, setting root-partition read-only can be considered as useful, but a little bit "paranoid":
"Read-only rootfs: Theory and Practice - Chris Simmonds, 2net
Configuring the rootfs to be read-only makes embedded systems more robust and reduces the wear on flash storage. In addition, by removing all state from the rootfs it becomes easier to implement system image updates and factory reset.
In this presentation, I show how to identify components that need to store some state, and to split it into volatile state that is needed only until the device shuts down and non-volatile state that is required permanently. I give examples and show various techniques of mapping writes onto volatile or non-volatile storage. To show how this works in practice, I use a standard Yocto Project build and show what changes you have to make to achieve a real-world embedded system with read-only rootfs. In the last section I consider the implications for software image update. Expect a live demonstration"
https://www.youtube.com/watch?v=Nocs3etLs9
https://wiki.debian.org/ReadonlyRoot # (usage at your own risk!)
Preconditions
The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.
Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.
For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it´s prefered to use its own filesystem. An example can look like this:
Device file Filesystem Mount point RO/RW
/dev/sda1 ext2 / ro
/dev/sda2 ext3
/var rw
—
tmpfs /tmp rw
/var/local/home bind mount /home rw
/var/local/srv bind mount /srv rw
You can use a filesystem without a journal for /, because you don´t write there and you don´t need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with mke2fs -t ext4 -O ^has_journal /dev/sda1 or remove the journal with tune2fs -O ^has_journal /dev/sda1.
Special files in /etc
You have to take care for some files in /etc. These are
adjtime
because it´s modified on boot up; see bug 156489
Solution for mdv and el6,el7: Change the hwclock-command in /etc/init.d/reboot and /etc/init.d/halt from "hwclock --systohc" to "hwclock --systohc --adjfile=/var/local/adjtime".
Solution for Debian Wheezy:
(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/hwclockfirst.sh and /etc/init.d/hwclock.sh
or
(2) fix /etc/init.d/hwclockfirst.sh by replacing -f by -L in "if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then"; see 520606.
alsa: init.d/alsa-utils
All versions before alsa-utils/1.0.27.2-1 (@2013-10-25 concerns wheezy version) of alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.
Relevant bug: 712980
blkid.tab
because it´s modified at runtime by libblkid1
Solution:You can´t create a symlink from /etc/blkid.tab to /var/local/blkid.tab because, unfortunately, libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/blkid.tab. You should do this in /etc/environment to set the variable for everybody, who might do mounting.
courier imap
Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups, if running as a mail server for virtual mailboxes (the default configuration of authenticating against pam is unaffected by this).
If using virtual mailboxes with shared accounts the file will need to be moved elsewhere, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.
Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .
See http://www.courier-mta.org/imap/README.sharedfolders.html for information upstream provide about this setting.
cups
CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.
Relevant bug: 549673
lvm
Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.
Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.
Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.
Relevant bugs: 372207 562234 (for etckeeper behavior WRT LVM files see 462355)
mtab
used by mount
Solution: Create a symlink from /etc/mtab to /proc/self/mounts
mount.cifs (before smbfs 2:3.4.3-1) doesn´t honour this symlink and replace it with a real file; see 408394
mtab is in /etc for historical reasons as per FHS 2.3.
network/run
Used by ifupdown up to Squeeze
Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.
rm -rf /etc/network/run
dpkg-reconfigure ifupdown
Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)
Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.
Relevant bug: 389996
nologin
modified on boot up by the initscripts bootmisc.sh and rmnologin
This should already be a symlink to /var/lib/initscripts/nologin
In wheezy the init scripts directly modify /var/lib/initscripts/nologin
resolv.conf
If you have only a static nameserver configuration, then there´s no problem. Otherwise you should use the package resolvconf.
passwd, shadow
These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write, before using these tools. Otherwise you might think about using NIS or LDAP.
samba/dhcp.conf
If the dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.
Relevant bug: 629406
suck
suck puts files in /etc/suck which are modified by suck at runtime; see 206631 To work around this problem, you have to move /etc/suck/sucknewsrc* to a new directory /var/local/suck, create a symlink /etc/suck/suckkillfile to /var/local/suck/suckkillfile and set etcdir in get-news.conf to /var/local/suck (this sets the -dd option of suck)
udev
If the udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.
Copy /var/lock or /var/lock/* to the mini-partition for /var. Do this also for kernel-partition /tmp or set /tmp to read-write. Copy /var/log/* to it too and link it to /tmp: "ln -sf /tmp /var/log/*".
Link the konqueror-browser-cache to /tmp: This means linking some cache-files of /home/user/.kde4 resp. /home/surfuser/.kde4 with the temporary /tmp one.
Enable readonly root
To make your root filesystem mounted readonly, you must edit your /etc/fstab and set the mount option ro.
# /etc/fstab: static file system information.
#
# file system mount point fs-type options dump pass
/dev/hda1 / ext2 defaults,noatime,ro,errors=remount-ro 0 0
/dev/hda4 /var ext3 defaults 0 2
The option noatime is useful while the disk is mounted read/write while updates.
https://wiki.debian.org/ReadonlyRoot, http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/, http://www.linuxfromscratch.org/hints/downloads/files/readonly_rootfs.txt und http://www.logicsupply.com/explore/io-hub/how-to-build-a-read-only-linux-system/.
ext4 partition READ ONLY mounten - forum.ubuntuusers.de
forum.ubuntuusers.de/topic/ext4-partition-read-only-mounten
Next step: Deactivate journalling-feature of file systems like ext4 and reiserfs (reiserfs: nolog-option) and
disable filesystem-checks by tune2fs (ext4) resp. reiserfstune and by setting the fs-check-parameter for the root-partition to 0.
Now a correcture within /etc/rc.sysinit shall be done:
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount,rw /
fi"
nach
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount /
fi"
see https://bbs.archlinux.org/viewtopic.php?id=135943
At last the kernel-option "ro" should be entered in /boot/grub/menu.lst for grub, for example behind "root=UUID...".
Never mind or nevertheless, If these steps for setting the root-partition read-only do not help, try the following article: http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/single/
Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consits of many of them and most of them are caused by kmem.h, while kernel-4.20.13 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel-2.6.39.4-5.1 (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c (listed in the internet). You can get acutal patches for this kernel from see our section for updates.
After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
New Kernel: Configuration and Installation out of its source
How to install a new kernel: Download and install all binary packages (rpm resp. deb) required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel.
Set the Kernel-Version at the top of the makefile.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.
FSE (full system encryption) prevents from chroots, mounts (see "man mount") and bootups especially through systems on USB-sticks and from CD/DVD in order to read all kind of data from storage media like harddrives and memory (RAM) and data theft and so on.
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.
Linus Tovald called the grsecurity-patches rubbish (PRO-LINUX, 2017, 2018):
http://rpmfind.rediris.es/rpm2html/suse-8.2/secumod-1.6e-91.x86_64.html
Nice description, but as far, as I know this kernelmodule does following.
The system is been protected by disallowing several things
- ´texec´ : TPE protection (Trusted Path Execution, more on this later)
- ´procfs´ : procfs protection
- ´hardlink´ : hardlink create protection
- ´symlink´ : symlink follow protection
- ´rawdisk´ : rawdisk protection
- ´pipe´ : Pipe (FIFO) protection
- ´trace´ : process trace protection
- ´systable´ : syscall table checking
- ´logging´ : if you want logging, turn this on
- ´persist´ : by default this is set to 0, so the module can be unloaded,
but you may set it to 1 to make it unremovable
- ´capbits´ : set the capbits value. You have to supply a certain mode for
the capbits variable.
Hardlink/symlinkprotection protects the system from making this links for
users.
Persist sets a capability that the module cannot be unloaded.
Capbits are kernelbits, that define certain rights even for root - in normal
case root could do allmost anything.
Like in all cases you have to know, what you do, because with that module
loaded some processes will not have the full rights they need.
For example I tried a /proc protection module and hotplug freezed after that
(not funny).
There is no real desription of anything reguarding that module and I don´t
know, which bits to set and which not!
Another thing is the opensource thing within that modules, because you can
only use them on SuSE (with some disadvantages you can use the
firewallscript on Debian and Red Hat).
It is allways a nice thing to make more a secret of a thing, than
describing, how it works.
Philippe
https://archive.cert.uni-stuttgart.de/suse-security/2003/09/msg00202.html
grsecurity-patch - Components (similar to secumod), en.wikipedia.org
kernel source: subdirecotry of /usr/src/kernel-version/, "patch -p1 < ../grsecurity.patch"
PaX
A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses.
Role-based access control
Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.
A list of RBAC features
:
Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Support for variables in the configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full path names for offending process and parent process
RBAC status function for gradm
/proc//ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured, fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No run-time memory allocation
SMP safe
O(1) time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes
Chroot restrictions
grsecurity restricts chroot in a variety of ways to prevent various vulnerabilities and privilege escalation attacks, as well as to add additional checks:
No attaching shared memory outside chroot
No kill, ptrace (architecture-independent), capget, setpgid, getpgid and getsid outside chroot
No sending of signals by fcntl outside chroot
No viewing of any process outside chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside chroot
Removal of harmful privileges via cap
Miscellaneous features
Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.
Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious
binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user.
grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.[13]
List of additional features and security improvements:
/proc restrictions that do not leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
dmesg restriction
Enhanced implementation of trusted path execution
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across Unix domain sockets carry the attacker´s IP address with them (on 2.4 only)
Detection of local connections: copies attacker´s IP address to the other task
Automatic deterrence of exploit brute-forcing
Low, medium, high, and custom security levels
Tunable flood-time and burst for logging
https://en.wikipedia.org/wiki/Grsecurity
Activate only those options, that will not lead into serious hard malfunctionings of the kernel!
Install paxctld (rpm or tarball from http://www.grsecurity.net)
Save the new .config.
Three possibilites, after the patching of the source-code (in our case the dirty-cow-patch):
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &&make modules &&make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.
done.
In our /grub/menu.lst, quit the same for grub2, the resulting entry for FSE (Full System Encryption) performed according to by gentoo-Schnatterente is:
title dracut-mdv-008-Linux
password --md5 DOLLARSIGN103Axa2112...
kernel (hd0,7)/vmlinuz BOOT_IMAGE=dracut-mdv-008-Linux root=UUID=2193ab...rootfstype=ext4 ro elevator=deadline nosmp security=none panic=0 apparmor=0 selinux=0 disable=IPV6 audit=0 hibernate=protect_image iomem=strict nosmp iomem=relaxed speedboot=yes KEYMAP=de LANG=de_DE.UTF-8 intel.audio=1 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.lvm=0 rd.md=0 rd.luks.allow-discards rd.luks.uuid=ab1....vga=795 video=VGA-1:1366x768 tz=Europe/Berlin
initrd (hd0,7)/initramfs
0 of (hd0,7) stands for sda, 1 for sdb usw. and 7 for the boot-partition sda8, deadline for the SSD optimizing elevator resp. scheduler to choose, what is introduced soon through the configuraiton by special echo-commands.
kernel.yama.ptrace_scope=3
# 0 - Default attach security permissions.
# 1 - Restricted attach. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
3 - No attach. No process may call ptrace at all. Irrevocable.
echo "kernel.yama.ptrace_scope=3" > /etc/sysctl.d/10-ptrace.conf
Boot-paramter-list:
http://redsymbol.net/linux-kernel-boot-parameters/2.6.39/
The rescue-system Knoppix (Debian Linux, in our case Wheezy ol´ stable i386 (32 bit) from year 2010 with partition-manager gparted and dd, browser iceweazel and many tools and software) copied from DVD to an extra partition of at least 250 MB is listed in /boot/grub/menu.lst of the bootmanager Grub as follows:
title Rescue
password....
root(hd0,4)
kernel /boot/isolinux/linux knoppix keyboard=de lang=de_DE.UTF-8 desktop=kde tz=Europe/Berlin
initrd /boot/isolinux/minirt.gz
boot
It boots within few seconds and makes password-request to make it run and to get decrypted from its partition. After the login, in order to decrypt all the other LUKS-encrypted partitions, LUKS/dm-crypt should be installed, so at first packet cryptsetup has to be downloaded from the Debian-pool (debian.org). Update glibc too. If you want, you can update and/or increase this system up to a more comfortablel Debian Linux on an enlarged partition.
Information about the availability of TRIM of a SSD for the TRIM with discard-option on the base of ext4 out of /etc/fstab:
| hdparm -I /dev/sda | grep -i trim |
Our partition-concept for MCC-" partition manager (local harddrives) or gparted upon parted,
our partiitions on SanDisk SSD 120 GB:
LUKS-(cryptsetup)-encrypted extra partition (for sensible data and so on, with a key-file, that means for automatic encryption and decryption): 29 GB
LUKS-(cryptsetup)-encrypted root-partition ("schnatterschnatter - but no ente"quot;): 50 GB
LUKS-(cryptsetup)-encrypted (urandomed self de- and encrypting) SWAP-partition: 1,9 GB (2 GB RAM)
Boot-partition (unencrypted, so that this partition should be backuped to compare files like kernel named vmlinuz with md5sum or sha1sum) : 203 MB
KNOPPIX-encrypted-partition Knoppix (rescue system from DVD, a up to year 2016 actualized Debian Ol´ Wheezy from year 2010 with gparted, dd and much more. LUKS (cryptsetup) should be installed additionally too for editing above listed other partitions): 894 MB
LUKS-(cryptsetup)-encrypted home partition (encrypted and decrypted automatically during boot by a once generated belonging key-file from the root-partition): 34 GB
Advantage: easy handling, without Logical Volume Management (LVM) !
This all 1:1 upon another securing media, in our case the same one and therefore one more SanDisk 120 GB.
/etc/crypttab
# <target name> <source device> <key file> <options>
cryptohome UUID=.... /somewhere/keyfile luks,data=ordered,allow-discards
cryptswap /dev/sda_certain_number /dev/urandom swap,check=/bin/true,data=ordered,allow-discards
/boot/grub/menu.lst:
setkey y z
setkey z y
setkey Y Z
setkey Z Y
setkey equal parenright
setkey parenright parenleft
setkey parenleft asterisk
setkey doublequote at
setkey plus bracketright
setkey minus slash
setkey slash ampersand
setkey ampersand percent
setkey percent caret
setkey underscore question
setkey question underscore
setkey semicolon less
setkey less numbersign
setkey numbersign backslash
setkey colon greater
setkey greater bar
setkey asterisk braceright
timeout 10
password --md5 ...
default 0
kernel (hd0,7)/vmlinuz BOOT_IMAGE=linux root=UUID=c1... rd.luks.allow-discards rootfstype=ext4 nosmp elevator=deadline security=none nosmp speedboot=yes panic=0 apparmor=0 iomem=strict hibernate=protect_image disable=IPV6 selinux=0 audit=0 KEYMAP=de LANG=de_DE.UTF-8 intel.audio=1 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.multipath=0 rd.dm=0 rd.lvm=0 rd.md=0 rd.shell=0 rd.luks.uuid=3... video=VGA-1:1366x768 vga=795 tz=Europe/Berlin desktop=kde
initrd (hd0,7)/initramfs-4.9.49
The root-partition seems to be sized quit small, so choose 60 GB instead of 50, we suggest to the disadvantage of the extra partition.
Order each entry in the device-configuration-file /etc/fstab: 1 device-file (partition or disc))/device/UUID/kernel-partition 2 mountpoint 3 filesystem 4 mount-options 5 Dump 6 fsck (self-check during the system start resp. boot), details:
So in /etc/fstab we can set for ext4 (discard supported), ext3 (withoud discard), reiserfs (without discard), reiser4fs (discard), btrfs (discard), vfat (without discard):
root-partition: UUID=... / ext4 notail,noatime,nodiratime,barrier=flush,data=writeback,nouser,user_xattr,mode=500,async,commit=0,umask=077,iocharset=utf-8,acl 0
Bootpartition (hier wegen dracut): UUID=... /boot ext4 noatime,nodiratime,ro,nouser,nouser,noexec,async,nosuid,mode=500,umask=077,user_xattr,data=writeback,commit=0,iocharset=utf-8,acl 0 3
Home-Partition: /dev/mapper/cryptohome /home ext4 rw,suid,nodev,noexec,nosuid,auto,async,noatime,nodiratime,discard,data=writeback,commit=0,nouser_xattr,barrier=1,journal_checksum,mode=700,umask=077,errors=remount-ro,iocharset=utf-8 0 # automatic cryptsetup is recommended (cryptsetup-option --key-file): Only access over the root-partion with the stored key-file will be possible. Acess-rights for the key-file: chown root:root path_to_key_file/key.asc && chmod 400 /patch_to_key_file/key.asc
# exec or noexec
/dev/cdrom /media/cdrom auto umask=0,users,noauto,iocharset=utf8,ro,noexec 0 0
proc /sid-root/proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555,hidepid=2,gid=user,surfgroup,torgroup 0 0 # mouseclick-fast
none /proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555 0 0
# usbfs /proc/bus/usb usbfs rw,relatime,devgid=43,devmode=664,noexec 0 0 # if not already mounted during system boot; notice: MCC-Partiton-Manager and so on will miss /proc/bus/usb
sysfs /sid-root/sys sysfs notail,noatime,nosuid,nodiratime,rw,noexec,nouser,nosuid,nodev,data=writeback,mode=555 0 0
Temporary, tmp ins RAM::
tmpfs /tmp tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=8M 0 0 # original tmp, that was made hidden by firejail using option "private-tmp" within any /etc/firejail/config-files
shm /tmp tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
tmpfs /tmp2 tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=128M 0 0 # one more tmp for the down- and uploads
shm /tmp2 tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
#SWAP:
/dev/mapper/cryptswap swap swap defaults,discard,rw,data=writeback 0 0
none /dev/pts devpts mode=620,gid=5,rw
UUID=... /var/local ext4 rw,noatime,nodiratime,nosuid,aync,nodev,noexec,user_xattr,acl,barrier=1,data=writeback,mode=755,umask=077,commit=0,iocharset=utf8 # needed in small size of around 1 GB in order to mount the root-partition read-only
binfmt /proc/sys/fs/binfmt_misc binfmt_misc rw,noatime 0 0 # binfmt_misc is a capability of the Linux kernel which allows arbitrary executable file formats to be recognized and passed to certain user space applications, such as s emulators and virtual machines. The executable formats are registered through a special purpose file system interface (similar to /proc). Debian-based distributions provide the functionality through an extra binfmt-support package.[1]...see https://en.wikipedia.org/wiki/Binfmt_misc
securityfs /sys/kernel/security /mnt/any_mountpoint securityfs rw,noatime 0 0 # lsm, secure fs for kernel-security-modules ... or mount it within /etc/rc.local by "mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2"
# and /etc/fstab of our USB-stick:
/dev/sda1 / unionfs 0 1
/dev/mapper/usbstick1 /media/mnt_usb1 vfat rw,nosuid,nodev,uhelper=hal,users,noexec,uid=10001,utf8,shortname=mixed,flush,umask=077 0 1 # An entry in /etc/crypttab only instead of both files fstab and crypttab is sufficient. LUKS-encrypted USB-memory-stick with UUID (you can find out by mount -l ) and name usbstick1 within /etc/crypttab. Also think about mounting this encrypted USB-stick without having to enterthe password for encryption manually each system boot by creating a key-file or using the already present one from cryptohome, adding this key-file to /etc/crypttab and assocating it with the USB-stick by the command "cryptsetup luksAddKey /dev/sdc1 /path_to_keyfile/keyfile". Notice, that it might not be necessary to add this entry for an USB-memory stick in /etc/fstab here. Do this only in the case of problems with their hotplug!
/etc/fstab: Set the UUIDs instead of the named device-partitions
Find out the UUIDs with the console-command "blkid" (this is not possible for the internal kernel-partitions).
AHCI-Mode: BIOS-setup for SSD
Start the Bios- / Firmware-setup and look, if the AHCI-Modus (Advanced Host Controller Interface) for the SATA-adapter is active. Alternatively "RAID" is possible too.
You can almost find the option in the menu under "Advanced -> Integrated Peripherals", "SATA Configuration" or "PCH Storage Configuration". Elder mainboard-platines do also have the option "IDE", in order to increase the throughput of the harddrives, if not chosen. If there is provided only "IDE", you must resign from the SATA-optimization.
On a side for overview ("System Status" or similar side) you almost find infomation about the SATA-Port the harddrives get connected. New motherboards only do have SATA-ports with fast 6 GBit/s (SATA III) and any port can be used. SATA II as much as SATA I fullfill our criteria to make all running mouseclick-fast.
And in /etc/rc.local (started by adding "sh /etc/rc.local" from any activated bootscript of /etc/init.d/, followed by a system-restart) for optimized SSD (in our example on the first S-ATA-port named sda) we choose the following parameters after a check with "hdparm -I /dev/sda": and "man hdparm":
hdparm -W1a0A0 /dev/sda (also try other optimizing parameters of hdparm)
echo deadline > /sys/block/sda/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
touch /var/lock/subsys/local
SSD: commit=0: mouseclick-fast
Option defaults consists of the for security significant async,nouser,rw,suid,dev,exec,auto.
man mount: "All I/O to the filesystem should be done synchronously. In case of media with limited number of write cycles (e.g. some flash drives) "sync" may cause life-cycle shortening." In other words, for SSD prefer option async!
The namely security advised option "W0" instead of elected W1 deactivates the write-cache of the SSD, what protects data even more in the case of system hangons and breakdowns. More parameters of hdparm are explained by "hdparm -h" and manpages, see "man hdparm".Notice, that for more performcance "W1" for write-cacheing is generally recommended.
The pair of number from above like "0 1" stands for dump equal to no and fsck equal to yes, while the number itself stands for 0 none (no check), 1 recommended for the root-partition, 2 for all other partitionss and 3 for all less important partitions. With these setting, named filesystem can not be damaged anymore, otherwise, if ever thinkable, use manually "reiserfsck --no-tree device_file" to do its best for reiserfs.
umask: generally sets the access-rights as a subtrahend: Set umask 022 standing for less or equal 755 resp. umask 077 for less or equal 700 for the root- and home-partition in /etc/fstab and also in: /etc/profile, /etc/login.defs, /home/user/.bash_profile, /home/surfuser/.bash_profile, /root/.bash_profile, ROOT_UMASK=077 in /etc/security/msec/level.secure and USER_UMASK=077; acl: enable POSIX Access Control Lists.
Keep everything as SSD-friendly and mouseclick-fast you can, link the browser-cbache of Konqueror to the temporary directory /tmp being part of shm (shared memory, RAM) from fstab above:
rm -df /home/surfuser/.kde4/cache-localhos and ln -sf /tmp /home/surfuser/.kde4/cache-localhost, /home/surfuser/tmp, /home/user/.kde4/cache-localhost, /home/user/.kde4/socket-localhost, /home/user/.kde4/tmp, /home/user/.kde4/tmp-localhost and
ln -sf /tmp/kde-user /home/user/.kde4/tmp-localhost.localdomain, ln -sf /tmp/kde-surfuser/.kde4/tmp-localhost.localdomain . In the long run this spares plenty of cleaning. Do not link cache-localhost.localdomain and socket-localhost.localdomain, as this might cause some problems starting KDE.
ln -sf /tmp /home/alluser/.cache2 && rm -dfr /home/alluser/.cache &&rename /home/alluser/.cache2 /home/alluser/.cache /home/alluser/.cache2
bleachbit (el6, cleaner): This program can cause serious hard damage!
We go on for SSD: Option discard is not functioning each kernel and SSD. commit sets the interval or frequency for write-operations, what is 5s per default. It is not recommended to change this value. barrier is one more feature of ext4 and ext3 caring for writing (coherent) data right in front of a barrier before such coherent data are writtten behind it. barriers=1 effects more securirty, while barriers=0 contributes to more perfmormance. ro for read-only still should not be set for the root-partition. This would have caused "skipping journal replay". data=writeback means "Data ordering (data=ordered) is not preserved, data may be written into the main file system after its metadata has been committed to the journal.", options see http://www.mjmwired.net/kernel/Documentation/filesystems/ext4.txt#169 . Most options are accepted by ext3 too, but not reiserfs. Notice, that reiserfs does not accept all of the listed options like barrier, errors and discard, inspite of this option nolog is accepted. Test options by "mount -o options devicefile mountpoint", before they are set in /etc/fstab!
rpm-description cmospwd (el6): "CmosPwd decrypts password stored in cmos used to access BIOS SETUP. Works with the following BIOSes * ACER/IBM BIOS * AMI BIOS * AMI WinBIOS 2.5 * Award 4.5x/4.6x/6.0 * Compaq (1992) * Compaq (New version) * IBM (PS/2, Activa, Thinkpad) * Packard Bell * Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 * Phoenix 4 release 6 (User) * Gateway Solo - Phoenix 4.0 release 6 * Toshiba * Zenith AMI With CmosPwd, you can also backup, restore and erase/kill cmos."
So at first, generally the best thing one can do, is to abrogate the complete internet-access (what we do not suppose...) and to get a spare-parted backup-SSD or harddrive for the case of all the on mdv2010 remaining unsolved dependencies of packages your are going to install, that means in order to
Browser-Cache into RAM
about:config ->, to add a new entry type string
with the value /shm
After a newstart, firefox is cached into RAM. Go quit the same way for other browsers, source: http://wiki.siduction.de/index.php?title=Solid_State_Disks_(SSDs)_unter_Linux_optimal_nutzen&printable=yes. For Konqueror just link directory /home/username/.kde4/localhost-cache to /shm.
Convince yourself to get gnutls (el7) with libtasn1 (el7) installed. Otherwise gnutls might not work correctly for firefox.
| backup partitionwise 1:1 by command dd (details see below) |
Flashrom, Coreboot
Have a second BIOS-chip. Save the actual BIOS-firmware of the used BIOS-chip into a bin(ary) resp. rom-file. This can be done by an utility from the disc with drivers for the mainboard, out of the internet or by the UNIX-(Linux)-program called flashrom. flashrom is a utility for detecting, reading, writing, verifying and erasing flash chips. It´s often used to flash BIOS/EFI/coreboot/firmware images in-system using a supported mainboard, but it also supports flashing of network cards (NICs), SATA controller cards and other external devices, which can program flash chips. On malfunction especially after the powering on of the computer, you can flush the BIOS through the backup up right from the desktop, if not, you have to exchange the chip or the net-adapter, same for the RAM, that can be checked by progs of UNIX (Linux) like
memtest. For the protection against wiretapping bedbugs care for "
chassis intrusion detection", for the usage of as few USB-cards as possible, if the BIOS is resetted and if there are any hearable feedbacks from hardware inspite of FCC. Compare constructions and notice any specifications direct from the platines like the manufacturer-types or -ID . With some luck, a radio tunes their frequencies.
"Welcome to
coreboot!
coreboot is an Open Source project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.
With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly from firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot currently supports over 230 different mainboards. Check the Support page to see if your system is supported."
https://www.coreboot.org/Welcome_to_coreboot
https://www.coreboot.org/Supported_Motherboards
Password-protection
If Linfw3 is used, so that root and all other user except a special surfuser get blocked, and if all other methods introduced here on this webside are performed, no password hacking and cracking is ever possible anymore, even not after the password got known by other ones and independent from its name or constitution or who and whatever, neither from the outside (net), inside (software) nor direct at office or home or anywhere. Keys for the LUKS-encrypted partitions must be stored on a portable USB-memory-stick, better memory-/chip-card or fingerprint-scanner
Password-protection on our introduced exemplary system:
BIOS-password
Grub-md5-Password for all bootable partitions and memory-check within /boot/grub/menu.lst
Special (own) inportable password for always LUKS-encrypted partitions on the base of FSE (Full System Encryption) with keys (passwords) for the dracut-enbound root-Partition on a LUKS-password encrypted USB-memory-stick, rest (see
exemplary listed /etc/fstab) as sha2-key-file for user:group root:root and chmod 400 within any directory of the root-partition
Secured LUKS-root-partition with manual password-login onto a separate storage media for the cass of data loss from USB-memory-stick etc.
ACL-locked su-login for "surfuser"
Keys (passwords) for the additional encryption of e-mail and single directories and files with gnupg (kgpg) within the for "surfuser" by ACL inaccessible made directory .gnupg
desktop-manager: user-password for kdm and other desktop manager (or simplefying automized login free from password-entry)
Passwörds for LUKS-encrypted USB-memory-sticks
Password-manager for the twice password-encrypted access storage for all other passwords: revelation (el6, el7, rosa2014.1, rosa2016.1, fc 2X)
/etc/shadow (password-)file: chown root:root and chmod 400
inacccessible shell-bash-login in /etc/passwd and eventually usage of sandbox firejail with option "shell none"
Password protection, Focus, 11.04.2015
Snowden meant, hacker could hack a primitive password within one second. But the whistleblower gives tipps, how to keep passwords safe, so that they can not be hacked: by passphrases. Most passwords are simple variants like "12345678", "password" or the forename of the user. Edward Snowden thinks, passwords with the length of eight characters still do remain very insecure. They could be hacked by supercomputers in less than one second. Passphrases are passwords consisting of more than one word. Long, one time appearing sentences like
are easy to remember and combine different characters. They could not be decrypted by hacking programs.
A similar uncrackable method for password generation is described by PCWelt.de on http://www.pcwelt.de/ratgeber/So-erstellen-und-merken-Sie-sich-wirklich-sichere-Passwoerter-ohne-Zusatz-Tools-9940466.html .
Expert explains: The perfect password would be cracked by hackers in 227 millionen years, FOCUS Online, 09.05.2018
https://www.focus.de/digital/videos/geheimnis-liegt-in-drei-worten-experte-erklaert-hacker-wuerden-227-millionen-jahre-fuer-dieses-passwort-brauchen_id_7744168.html
Passwords are stored in the, as we hope, only root-accessible /etc/shadow for Linux. This file is handled over /etc/passwd listing usernames, belonging groups, "x" as a replacement for the password to read-in and so on.
| All sensible data should never be stored on the onboard resp. plugged-in storage-media, SSD and harddrives and only onto those unplugged ones containing the backups and onto well-encrypted USB-memory-sticks! |
More Internet Security
pam_shield (el6): pam_shield is a PAM module that uses iptables to lock out script kiddies that probe your computer for open logins and/or easy guessable passwords. pam_shield is meant as an aid to protect public computers on the open internet. An IP can also be entered manually by the command shield-trigger add 122.22.1.2 into the belonging database, same through "del" for deletion..pam_shield should get configured in /etc/security/shield.conf.
fail2ban (el6): Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
If you beware this principle, the computer generally provides the promised security for you.
Of course we tested and possess MS Windows. As we all know, it is not sufficient just to install an operating system and security-software to call the computer-system really secure, while finding out, that effective solutions may cost time!
Installation should be done by users with the rights of the system-administrator only. During installation the signatur helps to be aware of the origin of software. Before the installation itself, packet-manager
check out dublications and dependencies. If a packet is ever missing,
packet-manager like urpmi can download and install all needed packages from different sources and the internet. to solve them. After that, version-control by CVS (Version Controlling Systems) can also do their best. The packet-database seems to be similar to the MS-Win-registry, but it is not such complex.
If the packet-database should ever be damaged, it can be repaired in a simple way by the commands rm -f /var/lib/rpm/__* and rpm --rebuilddb. If this should not help, start the MCC packet-manager rpmdrake, in order to install any packet. rpmdrake is almost able to solve such conflicts. Notice, that MCC´s downloaded files are at least temporary in directory /var/cache/urpmi/rpms. Not all of the infinite amount of packet-dependencies are solved, even not in mdv2010!
Indeed: Our experience in mdv2010 tells us, that the only weak point grounds still in the overwhelming amount of existing packet-dependencies during an intensive installation of packages online (with a high amount of packages) by rpmdrake from MCC (drakconf) quit "at once" of a complexity much higher than from installation-DVD. Therefore we recommend not to download too many packets, not more than 50 "at once" and to have a look into the directory /var/lib/urmpi/rpms, where the not installed packages are still stored, if MCC is set to "do not empty the packet-cache after download" before. Then error-messages of the reinstallation by packet-manager like rpm, urpmi and yum almost tell what to do next - if there is inspite of checks of rpmdrake within the packet still any rpm, especially library-rpm, missing or if one rpm conflicts with another one to delete it before reinstallation is possible.
We repeat: agesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks.
mouseclick-fast
Mouseclick-fast: We almost have just the following
services activated through MCC: NetworkManager, acpid, alsa, cups, dnsmasq, gpm, ip6tables, iptables, jexec, linfw3, lm_sensors, partmon, postfix, sound, sysstat, udev-post, uuidd, wine and sometimes ntpd and httpd.
That´s all. So service network got deactivated too by command "chkconfig --level 2345 network off".
Increase the surf-speed with the browser, press STRG and ESC, choose the process for the browser by right clicking onto him and pull the appearing shift register for the process-priority at least one quarter length right. Alternatively use the terminal-commands nice and renice for a priority between -20 and 19 incl., default is 0 (source. Focus Onine, 07.11.2015);
Gooken recommends extrem high priorities for Dolphin, Kmail, Kontact, Kopete, Office, some OpenGL- and SDL-games (if useful) and Konqueror and/or any other browser,
Brake block and espionage: "root,-1", ( dangerous, speed lowering ) (system-)process named unknown (for login under uid:0) of owner "root,-1" with changing PID and unknown dimesioned CPU-enburdening "kept secret"
In advance, this might really help: setfacl -m u:root:- /usr/libexec/gam_server
. Also exchange gamin (mdv2010) with gamin (pclos2017).
http://stackoverflow.com/questions/13655110/how-to-kill-a-process-whose-pid-keeps-changing:
Such a process is called a "comet" by systems administrators.
The process group ID (PGID) doesn´t change on fork, so you can kill it (or SIGSTOP it) by sending a signal to the process group (you pass a negated PGID instead of a PID to kill).
answered Dec 1 ´12 at 1:18
caf
161k18208340
What if it calls setpgid/setsid each time too? :-) - R.. Dec 1 ´12 at 2:28
The only reason, I can see, why you wouldn´t see it is, that the forked child has not been created yet but the parent has progressed far enough in it´s death that it is no longer listed.
Unfortunately I don´t think it´s possible to kill this kind of process without some guessing. To do so would require knowing the next pid in advance. You can guess the next pid but not be certain that no other pid gets it assigned.
We generally want to get rid of such processes: Wait for our new experiences at this place! Mouseclick-fast and secure: the ultimative speed boost beneath SSD-technology from see data-sheed: At first, update the gam_server (gamin (fc25) and gamin-server (OpenSuSE13.2) with gam_server into /usr/libexec) or remove it (like in OpenSuSE, where gamin is not offered), that might has to do with it and never connect to the ISP (Internet Service Provider) using the NetworkManager (el6) together with networkmanager-applet (mdv2010.2), but through "ifup eth0" by surfuser (but without naming surfgroup) instead, maybe out of the K-Menu, in the case of Konqueror for example set:
| renice -n 18 `pidof konqueror` |
that means for surfuser joining surfgroup in order to start konqueror after the login to surfuser:
| "knemo && sg surfgroup konqueror && renice -n 18 `pidof konqueror` && kded4" |
rpm-description: "Run command in restricted environment. Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University, they use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: The daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software."
Or additionally on the base of the suid-sandboxfirejail (ram80: 0.9.44.8-1, rosa2014.1, rosa2016.1, pclos2017 or https://sourceforge.net/projects/firejail/) for all programs online and untrusted (following the includes, that might be some, we chose firejail for quit all), one more program for mdv2010.2 or el6 from rosa2014.1, that you also can download from here:
firejail-0.9.52-1pclos2017.x86_64.rpm (from December 2017, vendor:none, pbone.net)
or
download firejail pclos2017 preconfigured by us for firefox, Konqueror and kmail and so on from our update-section preconfigured by us for firejail-0.9.52-1.
| "knemo && sg surfgroup "firejail --private=/home/surfuser konqueror" && renice -n 18 `pidof konqueror` && kded4" |
or, enhanced with option --profile:
| "knemo && sg surfgroup "unshare firejail --nice=18 --profile=/etc/firejail/konqueror.profile --private=/home/surfuser konqueror" && kded4" |
This call seems to get quit long, so for a start with priority 18 from -20 up to 20 by a single (or double) mouseclick do not forget to add an this command into the belonging entry for konqueror within the k-menu, on the desktop or in the quick-starter of the taskline. For shell-scripts this can be done by "xterm -e /path_to/shellscript.sh" resp. "konsole -e /path_to/shellscript.sh"
Linux namespaces sandbox program firejail, https://sourceforge.net/projects/firejail/
"Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x (and 4.20.13 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. 2.6.39.4-5.1, com., Gooken) kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc."
Firejail is a SUID sandbox program, that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces.
firejail - version 0.9.48
Options:
-- - signal the end of options and disables further option processing.
--allow-debuggers - allow tools such as strace and gdb inside the sandbox.
--allow-private-blacklist - allow blacklisting files in private
home directories.
--allusers - all user home directories are visible inside the sandbox.
--apparmor - enable AppArmor confinement.
--appimage - sandbox an AppImage application.
--audit[=test-program] - audit the sandbox.
--bandwidth=name|pid - set bandwidth limits.
--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.
--bind=filename1,filename2 - mount-bind filename1 on top of filename2.
--blacklist=filename - blacklist directory or file.
-c - execute command and exit.
--caps - enable default Linux capabilities filter.
--caps.drop=all - drop all capabilities.
--caps.drop=capability,capability - blacklist capabilities filter.
--caps.keep=capability,capability - whitelist capabilities filter.
--caps.print=name|pid - print the caps filter.
--cgroup=tasks-file - place the sandbox in the specified control group.
--chroot=dirname - chroot into directory.
--cpu=cpu-number,cpu-number - set cpu affinity.
--cpu.print=name|pid - print the cpus in use.
--csh - use /bin/csh as default shell.
--debug - print sandbox debug messages.
--debug-blacklists - debug blacklisting.
--debug-caps - print all recognized capabilities.
--debug-check-filename - debug filename checking.
--debug-errnos - print all recognized error numbers.
--debug-protocols - print all recognized protocols.
--debug-syscalls - print all recognized system calls.
--debug-whitelists - debug whitelisting.
--defaultgw=address - configure default gateway.
--dns=address - set DNS server.
--dns.print=name|pid - print DNS configuration.
--env=name=value - set environment variable.
--force - attempt to start a new sandbox inside the existing sandbox.
--fs.print=name|pid - print the filesystem log.
--get=name|pid filename - get a file from sandbox container.
--help, -? - this help screen.
--hostname=name - set sandbox hostname.
--hosts-file=file - use file as /etc/hosts.
--ignore=command - ignore command in profile files.
--interface=name - move interface in sandbox.
--ip=address - set interface IP address.
--ip=none - no IP address and no default gateway are configured.
--ip6=address - set interface IPv6 address.
--iprange=address,address - configure an IP address in this range.
--ipc-namespace - enable a new IPC namespace.
--join=name|pid - join the sandbox.
--join-filesystem=name|pid - join the mount namespace.
--join-network=name|pid - join the network namespace.
--join-or-start=name|pid - join the sandbox or start a new one.
--list - list all sandboxes.
--ls=name|pid dir_or_filename - list files in sandbox container.
--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.
--machine-id - preserve /etc/machine-id
--mtu=number - set interface MTU.
--name=name - set sandbox name.
--net=bridgename - enable network namespaces and connect to this bridge.
--net=ethernet_interface - enable network namespaces and connect to this Ethernet interface.
--net=none - enable a new, unconnected network namespace.
--netfilter[=filename] - enable the default client network filter.
--netfilter6=filename - enable the IPv6 network filter.
--netns=name - Run the program in a named, persistent network namespace.
--netstats - monitor network statistics.
--nice=value - set nice value.
--no3d - disable 3D hardware acceleration.
--noblacklist=filename - disable blacklist for file or directory .
--noexec=filename - remount the file or directory noexec nosuid and nodev.
--nogroups - disable supplementary groups.
--nonewprivs - sets the NO_NEW_PRIVS prctl.
--noprofile - do not use a security profile.
--nosound - disable sound system.
--novideo - disable video devices.
--nowhitelist=filename - disable whitelist for file or directory .
--output=logfile - stdout logging and log rotation.
--overlay - mount a filesystem overlay on top of the current filesystem.
--overlay-named=name - mount a filesystem overlay on top of the current filesystem, and store it in name directory.
--overlay-tmpfs - mount a temporary filesystem overlay on top of the current filesystem.
--overlay-clean - clean all overlays stored in DOLLARSIGNHOME/.firejail directory.
--private - temporary home directory.
--private=directory - use directory as user home.
--private-home=file,directory - build a new user home in a temporary
filesystem, and copy the files and directories in the list in the new home.
--private-bin=file,file - build a new /bin in a temporary filesystem and copy the programs in the list.
--private-dev - create a new /dev directory. Only dri, null, full, zero,tty, pst, ptms, random, snd, urandom, log and shm devices are available.
--private-etc=file,directory - build a new /etc in a temporary filesystem, and copy the files and directories in the list.
--private-tmp - mount a tmpfs on top of /tmp directory.
--private-opt=file,directory - build a new /opt in a temporary filesystem.
--profile=filename - use a custom profile.
--profile-path=directory - use this directory to look for profile files.
--protocol=protocol,protocol,protocol - enable protocol filter.
--protocol.print=name|pid - print the protocol filter.
--put=name|pid src-filename dest-filename - put a file in sandbox container.
--quiet - turn off Firejail´s output.
--read-only=filename - set directory or file read-only..
--read-write=filename - set directory or file read-write..
--rlimit-fsize=number - set the maximum file size that can be created by a process.
--rlimit-nofile=number - set the maximum number of files that can be opened by a process.
--rlimit-nproc=number - set the maximum number of processes that can be created for the real user ID of the calling process.
--rlimit-sigpending=number - set the maximum number of pending signals for a process.
--rmenv=name - remove environment variable in the new sandbox.
--scan - ARP-scan all the networks from inside a network namespace.
--seccomp - enable seccomp filter and apply the default blacklist.
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
--seccomp=syscall,syscall,syscall
Enable seccomp filter, blacklist the default list and the syscalls specified by the command.
Example: firejail --seccomp=utime,utimensat,utimes firefox
--seccomp.drop=syscall,syscall,syscall
Enable seccomp filter, and blacklist the syscalls specified by the command.
Example: firejail --seccomp.drop=utime,utimensat,utimes
--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and whitelist the syscalls specified by the command.
--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and return errno for the syscalls specified by the command.
--seccomp.print=name|pid - print the seccomp filter for the sandbox identified by name or PID.
--shell=none- run the program directly without a user shell.
--shell=program - set default user shell.
--shutdown=name|pid - shutdown the sandbox identified by name or PID.
--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.
--top - monitor the most CPU-intensive sandboxes.
--trace - trace open, access and connect system calls.
--tracelog - add a syslog message for every access to files or directories blacklisted by the security profile.
--tree - print a tree of all sandboxed processes.
--version - print program version and exit.
--veth-name=name - use this name for the interface connected to the bridge.
--whitelist=filename - whitelist directory or file.
--writable-etc - /etc directory is mounted read-write.
--writable-var - /var directory is mounted read-write.
--writable-var-log - use the real /var/log directory, not a clone.
--x11 - enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension.
--x11=none - disable access to X11 sockets.
--x11=xephyr - enable Xephyr X11 server. The window size is 800x600.
--x11=xorg - enable X11 security extension.
--x11=xpra - enable Xpra X11 server.
--x11=xvfb - enable Xvfb X11 server.
--zsh - use /usr/bin/zsh as default shell.
Examples:
DOLLARSIGN firejail firefox
start Mozilla Firefox
DOLLARSIGN firejail --debug firefox
debug Firefox sandbox
DOLLARSIGN firejail --private --sna=8.8.8.8 firefox
start Firefox with a new, empty home directory, and a well-known DNS-server setting.
DOLLARSIGN firejail --net=eth0 firefox
start Firefox in a new network namespace
DOLLARSIGN firejail --x11=xorg firefox
start Firefox and sandbox X11
DOLLARSIGN firejail --list
list all running sandboxes
License GPL version 2 or later
Homepage: http://firejail.wordpress.com
"Mit Firejail lässt sich das Risiko erheblich reduzieren, das von bis dato ungepatchten Sicherheitslücken in Programmen ausgeht.", www.kuketz-blog.de/firejail-linux-haerten-teil4
Firejail has got two very interesting options: --profile, what is done with default.profile by default as much as one profile for each program resp. process out of a hugh amount from /etc/firejail and --private. Last one completes the sandbox in a whole. Refering to linfw3, for still blocking all trojans resp. backdoors, use the already listed firejail-option --profile=/home/surfuser, especially the pregiven (and already listed) profiles.
Resign from firejail, if firefox does not work correctly, until firejail gets reconfigured well enough !
"SECure COMPuting with filters (like seccomp within firejail)
===========================================
Introduction
------------
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. As system calls change and mature, bugs are found and eradicated. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications.
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments. This allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland and a straightforward data set.
Additionally, BPF makes it impossible for users of seccomp to fall prey to time-of-check-time-of-use (TOCTOU) attacks that are common in system call interposition frameworks. BPF programs may not dereference pointers which constrains all filters to solely evaluating the system call arguments directly.
What it isn´t
-------------
System call filtering isn´t a sandbox.It provides a clearly defined mechanism for minimizing the exposed kernel surface. It is meant to be a tool for sandbox developers to use. Beyond that, policy for logical behavior and information flow should be managed with a combination of other system hardening techniques and, potentially, an LSM of your choosing. Expressive, dynamic filters provide further options down this path (avoiding pathological sizes or selecting which of the multiplexed system calls in socketcall() is allowed, for instance) which could be construed, incorrectly, as a more complete sandboxing solution.
Usage
-----
An additional seccomp mode is added and is enabled using the same prctl(2) call as the strict seccomp. If the architecture has CONFIG_HAVE_ARCH_SECCOMP_FILTER, then filters may be added as below:
...", https://www.pro-linux.de/news/1/25207/sicherheits-audit-von-dnsmasq.html, https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
Firefox mit Tor:
| sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/tor.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts" |
with default-firefox.profile like default.profile, but without blacklist /home/surfuser/.mozilla and /home/surfuser/.cache (commented in with "#").
Option tor: is used for the anonymizing TorDNS as the remote-DNS-server, what is introduced with Tor at the end of this excurs.
Following the many profile-files in /etc/firejail, the in comparison to sandbox docker-io easy-to-handle Firejail is recommended for all programs resp. processes online and you might not trust like webserver, server, dolphin (what causes a intern restricted bash, so that you should resign from it as much as for quit all processes online. Have a brief look into the configuration file of firejail in /etc/firejail too: many of them refer to single processes resp. programs, some like files named disable*.inc refer to more than it. There, encrypted partitions and directories including sub-directories (blacklist /mnt/) and USB-sticks (blacklist /media/ resp. blacklist /media/directory_for_the_usb-stick) can be secured once more too as much as the block of the intern start of bash-commands refering to outside of private and so on.
Now everything online runs not only "two and three times more secure" but even much faster than already fast !
Firejail-options for *.inc-files within /etc/firejail/ :
caps.drop all
ipc-namespace
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
noautopulse
notv
protocol unix,inet,inet6
seccomp
shell none
tracelog
quiet
private-dev
private-bin
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
private-tmp
# ... not all firejail-options should be activated, in order to avoid capacity- and serious hard system-errors!
To the profiles of actual firejail 0.9.48-1.pcclos2017 in /etc/firejail, that is provided
preconfigured by us (Gooken) to get downloaded from our section for updates, belong (description see "man firejail")
0ad.profile
2048-qt.profile
140 25. Jun 14:30 7z.profile
1225 25. Jun 14:30 abrowser.profile
704 20. Mai 23:55 akregator.profile
489 25. Jun 14:30 amarok.profile
568 20. Mai 23:55 arduino.profile
499 25. Jun 14:30 ark.profile
347 25. Jun 14:30 atom-beta.profile
342 25. Jun 14:30 atom.profile
535 25. Jun 14:30 atool.profile
410 25. Jun 14:30 atril.profile
267 25. Jun 14:30 audacious.profile
357 25. Jun 14:30 audacity.profile
458 25. Jun 14:30 aweather.profile
1742 20. Mai 23:55 baloo_file.profile
785 20. Mai 23:55 bibletime.profile
271 25. Jun 14:30 bitlbee.profile
488 25. Jun 14:30 bleachbit.profile
488 8. Mai 23:07 bleachbit.profile
595 20. Mai 23:55 blender.profile
492 25. Jun 14:30 bless.profile
492 8. Mai 23:07 bless.profile
535 25. Jun 14:30 brasero.profile
535 8. Mai 23:07 brasero.profile
338 25. Jun 14:30 brave.profile
878 20. Mai 23:55 caja.profile
407 25. Jun 14:30 cherrytree.profile
66 25. Jun 14:30 chromium-browser.profile
695 25. Jun 14:30 chromium.profile
393 25. Jun 14:30 claws-mail.profile
268 25. Jun 14:30 clementine.profile
598 20. Mai 23:55 clipit.profile
340 25. Jun 14:30 cmus.profile
564 25. Jun 14:30 conkeror.profile
262 25. Jun 14:30 corebird.profile
379 25. Jun 14:30 cpio.profile
178 25. Jun 14:30 cryptocat.profile
524 20. Mai 23:55 Cryptocat.profile
582 25. Jun 14:30 cvlc.profile
99 25. Jun 14:30 cyberfox.profile
245 20. Mai 23:55 Cyberfox.profile
304 25. Jun 14:30 deadbeef.profile
366 25. Jun 14:30 default0.profile
366 25. Jun 14:30 default2.profile
607 25. Jun 14:30 default-firefox.profile
371 25. Jun 14:30 default-gftp.profile
367 25. Jun 14:30 default.profile
397 25. Jun 14:30 deluge.profile
526 20. Mai 23:55 dia.profile
450 25. Jun 14:30 dillo.profile
755 20. Mai 23:55 dino.profile
4812 25. Jun 14:30 disable-common0.inc
7239 25. Jun 14:30 disable-common-gftp.inc
3788 25. Jun 14:30 disable-common.inc
3788 11. Mai 15:08 disable-common.inc.rpmsave
7239 25. Jun 14:30 disable-common-kmail.inc
91 25. Jun 14:30 disable-devel-firefox.inc
1470 25. Jun 14:30 disable-devel.inc
725 25. Jun 14:30 disable-firefox.inc
187 25. Jun 14:30 disable-passwdmgr.inc
567 25. Jun 14:30 disable-programs-firefox.inc
4949 25. Jun 14:30 disable-programs.inc
538 25. Jun 14:30 display.profile
770 25. Jun 14:30 dnscrypt-proxy.profile
327 25. Jun 14:30 dnsmasq.profile
831 25. Jun 14:30 dolphin.profile
831 8. Mai 23:07 dolphin.profile
370 25. Jun 14:30 dosbox.profile
529 25. Jun 14:30 dragon.profile
448 25. Jun 14:30 dropbox.profile
562 25. Jun 14:30 elinks.profile
276 25. Jun 14:30 emacs.profile
229 25. Jun 14:30 empathy.profile
535 25. Jun 14:30 enchant.profile
505 25. Jun 14:30 engrampa.profile
376 25. Jun 14:30 eog.profile
374 25. Jun 14:30 eom.profile
609 25. Jun 14:30 epiphany.profile
356 25. Jun 14:30 evince.profile
476 25. Jun 14:30 evolution.profile
630 25. Jun 14:30 exiftool.profile
402 25. Jun 14:30 fbreader.profile
367 25. Jun 14:30 feh.profile
223 25. Jun 14:30 file.profile
514 25. Jun 14:30 file-roller.profile
553 20. Mai 23:55 filezilla.profile
230 20. Mai 23:55 firefox-esr.profile
1819 20. Mai 23:55 firefox.profile
2985 25. Jun 14:30 firejail.config
898 25. Jun 14:30 flashpeak-slimjet.profile
300 25. Jun 14:30 flowblade.profile
544 20. Mai 23:55 fontforge.profile
429 25. Jun 14:30 fossamail.profile
220 20. Mai 23:55 FossaMail.profile
481 25. Jun 14:30 franz.profile
817 25. Jun 14:30 gajim.profile
601 20. Mai 23:55 galculator.profile
543 20. Mai 23:55 geany.profile
621 25. Jun 14:30 gedit.profile
582 25. Jun 14:30 geeqie.profile
36 20. Mai 23:55 gimp-2.8.profile
295 25. Jun 14:30 gimp.profile
418 25. Jun 14:30 git.profile
383 25. Jun 14:30 gitter.profile
833 25. Jun 14:30 gjs.profile
555 20. Mai 23:55 globaltime.profile
653 25. Jun 14:30 gnome-2048.profile
654 25. Jun 14:30 gnome-books.profile
503 25. Jun 14:30 gnome-calculator.profile
431 25. Jun 14:30 gnome-chess.profile
526 25. Jun 14:30 gnome-clocks.profile
499 25. Jun 14:30 gnome-contacts.profile
612 25. Jun 14:30 gnome-documents.profile
543 20. Mai 23:55 gnome-font-viewer.profile
627 25. Jun 14:30 gnome-maps.profile
627 8. Mai 23:07 gnome-maps.profile
329 25. Jun 14:30 gnome-mplayer.profile
552 25. Jun 14:30 gnome-music.profile
663 25. Jun 14:30 gnome-photos.profile
669 25. Jun 14:30 gnome-weather.profile
493 25. Jun 14:30 goobox.profile
704 25. Jun 14:30 google-chrome-beta.profile
670 25. Jun 14:30 google-chrome.profile
76 25. Jun 14:30 google-chrome-stable.profile
732 25. Jun 14:30 google-chrome-unstable.profile
452 25. Jun 14:30 google-play-music-desktop-player.profile
493 25. Jun 14:30 gpa.profile
542 25. Jun 14:30 gpg-agent.profile
530 25. Jun 14:30 gpg.profile
543 25. Jun 14:30 gpicview.profile
458 25. Jun 14:30 gpredict.profile
55 25. Jun 14:30 gtar.profile
370 25. Jun 14:30 gthumb.profile
501 25. Jun 14:30 guayadeque.profile
535 20. Mai 23:55 gucharmap.profile
424 25. Jun 14:30 gwenview.profile
153 25. Jun 14:30 gzip.profile
425 25. Jun 14:30 hedgewars.profile
632 25. Jun 14:30 hexchat.profile
546 25. Jun 14:30 highlight.profile
544 20. Mai 23:55 hugin.profile
1224 25. Jun 14:30 icecat.profile
445 25. Jun 14:30 icedove.profile
99 25. Jun 14:30 iceweasel.profile
508 25. Jun 14:30 img2txt.profile
302 25. Jun 14:30 inkscape.profile
509 25. Jun 14:30 inox.profile
192 25. Jun 14:30 iridium-browser.profile
631 25. Jun 14:30 iridium.profile
479 25. Jun 14:30 jd-gui.profile
479 8. Mai 23:07 jd-gui.profile
326 25. Jun 14:30 jitsi.profile
475 25. Jun 14:30 k3b.profile
475 8. Mai 23:07 k3b.profile
700 25. Jun 14:30 kate.profile
617 20. Mai 23:55 kcalc.profile
219 25. Jun 14:30 keepass2.profile
400 25. Jun 14:30 keepass.profile
630 25. Jun 14:30 keepassx2.profile
630 8. Mai 23:07 keepassx2.profile
673 25. Jun 14:30 keepassxc.profile
673 8. Mai 23:07 keepassxc.profile
427 25. Jun 14:30 keepassx.profile
665 25. Jun 14:30 kino.profile
665 8. Mai 23:07 kino.profile
356 25. Jun 14:30 kmail.profile
356 21. Apr 13:50 kmail.profile
526 20. Mai 23:55 knotes.profile
545 20. Mai 23:55 kodi.profile
288 25. Jun 14:30 konversation.profile
709 20. Mai 23:55 ktorrent.profile
558 20. Mai 23:55 leafpad.profile
122 25. Jun 14:30 less.profile
400 25. Jun 14:30 libreoffice.profile
131 25. Jun 14:30 localc.profile
131 25. Jun 14:30 lodraw.profile
131 25. Jun 14:30 loffice.profile
131 25. Jun 14:30 lofromtemplate.profile
345 25. Jun 14:30 login.users
131 25. Jun 14:30 loimpress.profile
506 25. Jun 14:30 lollypop.profile
506 8. Mai 23:07 lollypop.profile
131 25. Jun 14:30 lomath.profile
131 25. Jun 14:30 loweb.profile
131 25. Jun 14:30 lowriter.profile
349 25. Jun 14:30 luminance-hdr.profile
556 20. Mai 23:55 lximage-qt.profile
579 20. Mai 23:55 lxmusic.profile
263 25. Jun 14:30 lxterminal.profile
533 25. Jun 14:30 lynx.profile
562 20. Mai 23:55 mate-calc.profile
42 20. Mai 23:55 mate-calculator.profile
533 20. Mai 23:55 mate-color-select.profile
579 20. Mai 23:55 mate-dictionary.profile
213 20. Mai 23:55 mathematica.profile
491 25. Jun 14:30 Mathematica.profile
213 8. Mai 23:07 mathematica.profile
387 25. Jun 14:30 mcabber.profile
545 25. Jun 14:30 mediainfo.profile
533 25. Jun 14:30 mediathekview.profile
551 20. Mai 23:55 meld.profile
301 25. Jun 14:30 midori.profile
526 25. Jun 14:30 mousepad.profile
363 25. Jun 14:30 mpv.profile
717 25. Jun 14:30 multimc5.profile
717 8. Mai 23:07 multimc5.profile
734 25. Jun 14:30 mumble.profile
734 8. Mai 23:07 mumble.profile
890 25. Jun 14:30 mupdf.profile
514 25. Jun 14:30 mupen64plus.profile
774 25. Jun 14:30 mutt.profile
859 25. Jun 14:30 nautilus.profile
859 8. Mai 23:07 nautilus.profile
674 20. Mai 23:55 nemo.profile
658 25. Jun 14:30 netsurf.profile
774 25. Jun 14:30 nolocal.net
652 20. Mai 23:55 nylas.profile
554 25. Jun 14:30 odt2txt.profile
542 25. Jun 14:30 okular.profile
284 25. Jun 14:30 openbox.profile
294 25. Jun 14:30 openshot.profile
591 25. Jun 14:30 opera-beta.profile
611 25. Jun 14:30 opera.profile
584 20. Mai 23:55 orage.profile
1601 25. Jun 14:30 palemoon.profile
371 25. Jun 14:30 parole.profile
660 20. Mai 23:55 pcmanfm.profile
439 25. Jun 14:30 pdfsam.profile
439 8. Mai 23:07 pdfsam.profile
541 25. Jun 14:30 pdftotext.profile
363 25. Jun 14:30 pidgin.profile
483 25. Jun 14:30 pithos.profile
483 8. Mai 23:07 pithos.profile
412 25. Jun 14:30 pix.profile
503 25. Jun 14:30 pluma.profile
707 25. Jun 14:30 polari.profile
507 25. Jun 14:30 psi-plus.profile
439 25. Jun 14:30 qbittorrent.profile
452 25. Jun 14:30 qemu-launcher.profile
418 25. Jun 14:30 qemu-system-x86_64.profile
560 20. Mai 23:55 qlipper.profile
405 25. Jun 14:30 qpdfview.profile
448 25. Jun 14:30 qtox.profile
222 25. Jun 14:30 quassel.profile
626 25. Jun 14:30 quiterss.profile
813 25. Jun 14:30 qupzilla.profile
533 25. Jun 14:30 qutebrowser.profile
426 25. Jun 14:30 ranger.profile
353 25. Jun 14:30 rhythmbox.profile
574 20. Mai 23:55 ristretto.profile
360 25. Jun 14:30 rtorrent.profile
885 25. Jun 14:30 scribus.profile
885 8. Mai 23:07 scribus.profile
100 25. Jun 14:30 seamonkey-bin.profile
1293 25. Jun 14:30 seamonkey.profile
355 25. Jun 14:30 server.profile
562 25. Jun 14:30 simple-scan.profile
506 25. Jun 14:30 skanlite.profile
267 25. Jun 14:30 skypeforlinux.profile
243 25. Jun 14:30 skype.profile
624 25. Jun 14:30 slack.profile
349 25. Jun 14:30 snap.profile
131 25. Jun 14:30 soffice.profile
844 25. Jun 14:30 spotify.profile
464 25. Jun 14:30 ssh-agent.profile
287 25. Jun 14:30 ssh.profile
603 25. Jun 14:30 start-tor-browser.profile
386 25. Jun 14:30 steam.profile
546 25. Jun 14:30 stellarium.profile
126 25. Jun 14:30 strings.profile
322 25. Jun 14:30 synfigstudio.profile
301 25. Jun 14:30 tar.profile
62 25. Jun 14:30 telegram.profile
208 20. Mai 23:55 Telegram.profile
62 12. Apr 20:18 telegram.profile
208 8. Mai 23:07 Telegram.profile
37 25. Jun 14:30 thunar.profile
725 20. Mai 23:55 Thunar.profile
540 8. Mai 23:07 Thunar.profile
446 25. Jun 14:30 thunderbird.profile
335 25. Jun 14:30 totem.profile
628 25. Jun 14:30 tracker.profile
618 25. Jun 14:30 transmission-cli.profile
460 25. Jun 14:30 transmission-gtk.profile
457 25. Jun 14:30 transmission-qt.profile
591 25. Jun 14:30 transmission-show.profile
441 25. Jun 14:30 uget-gtk.profile
780 25. Jun 14:30 unbound.profile
235 25. Jun 14:30 unrar.profile
223 25. Jun 14:30 unzip.profile
223 25. Jun 14:30 uudeview.profile
702 25. Jun 14:30 uzbl-browser.profile
609 20. Mai 23:55 viewnior.profile
581 20. Mai 23:55 viking.profile
292 25. Jun 14:30 vim.profile
273 25. Jun 14:30 virtualbox.profile
189 20. Mai 23:55 VirtualBox.profile
69 25. Jun 14:30 vivaldi-beta.profile
540 25. Jun 14:30 vivaldi.profile
534 25. Jun 14:30 vivaldi-stable.profile
398 25. Jun 14:30 vlc.profile
547 25. Jun 14:30 w3m.profile
521 25. Jun 14:30 warzone2100.profile
992 25. Jun 14:30 webserver.net
69 25. Jun 14:30 weechat-curses.profile
408 25. Jun 14:30 weechat.profile
689 25. Jun 14:30 wesnoth.profile
497 25. Jun 14:30 wget.profile
497 8. Mai 23:07 wget.profile
746 25. Jun 14:30 whitelist-common.inc
284 25. Jun 14:30 wine.profile
676 20. Mai 23:55 wire.profile
203 25. Jun 14:30 Wire.profile
609 25. Jun 14:30 wireshark.profile
609 8. Mai 23:07 wireshark.profile
288 25. Jun 14:30 xchat.profile
497 25. Jun 14:30 xed.profile
922 20. Mai 23:55 Xephyr.profile
531 25. Jun 14:30 xfburn.profile
555 20. Mai 23:55 xfce4-dict.profile
657 20. Mai 23:55 xfce4-notes.profile
676 25. Jun 14:30 xiphos.profile
487 25. Jun 14:30 xmms.profile
225 25. Jun 14:30 xonotic-glx.profile
602 25. Jun 14:30 xonotic.profile
602 8. Mai 23:07 xonotic.profile
225 25. Jun 14:30 xonotic-sdl.profile
352 25. Jun 14:30 xpdf.profile
450 25. Jun 14:30 xplayer.profile
512 25. Jun 14:30 xpra.profile
512 8. Mai 23:07 xpra.profile
450 25. Jun 14:30 xreader.profile
1128 20. Mai 23:55 Xvfb.profile
336 25. Jun 14:30 xviewer.profile
154 25. Jun 14:30 xzdec.profile
54 25. Jun 14:30 xz.profile
530 20. Mai 23:55 youtube-dl.profile
393 25. Jun 14:30 zathura.profile
470 25. Jun 14:30 zoom.profile
/etc/firejail/palemoon.profile:
...
# For Pale Moon and Tor
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
noblacklist /usr/bin/palemoon
noblacklist /usr/bin/tor
noblacklist DOLLARSIGN{HOME}/.moon*
noblacklist DOLLARSIGN{HOME}/keys
noblacklist DOLLARSIGN{HOME}/lock
noblacklist DOLLARSIGN{HOME}/state
noblacklist DOLLARSIGN{HOME}/cached*
noblacklist DOLLARSIGN{HOME}/ca-bundle.crt
noblacklist DOLLARSIGN{HOME}/.thumbnails
noblacklist DOLLARSIGN{HOME}/cache
noblacklist DOLLARSIGN{HOME}/control_auth_cookie
read-only DOLLARSIGN{HOME}/geoip
read-only DOLLARSIGN{HOME}/geoip6
read-only DOLLARSIGN{HOME}/torrc
read-only DOLLARSIGN{HOME}/.pale*/moon*/profile.yourprofile/user.js
noblacklist DOLLARSIGN{HOME}/tmp
blacklist DOLLARSIGN{HOME}/.local
blacklist DOLLARSIGN{HOME}/.pulse
blacklist DOLLARSIGN{HOME}/.kde
blacklist DOLLARSIGN{HOME}/.kde4
blacklist DOLLARSIGN{HOME}/.gftp
blacklist DOLLARSIGN{HOME}/.config
blacklist DOLLARSIGN{HOME}/.pki
blacklist DOLLARSIGN{HOME}/.mcop
blacklist DOLLARSIGN{HOME}/.fontconfig
blacklist DOLLARSIGN{HOME}/.dbus
blacklist DOLLARSIGN{HOME}/.bash*
blacklist DOLLARSIGN{HOME}/.abrt
blacklist DOLLARSIGN{HOME}/.gconf*
blacklist DOLLARSIGN{HOME}/.xsession-errors
blacklist DOLLARSIGN{HOME}/.profile
blacklist DOLLARSIGN{HOME}/Desktop
blacklist DOLLARSIGN{HOME}/.mozilla
blacklist DOLLARSIGN{HOME}/.wine
blacklist DOLLARSIGN{HOME}/.gnupg
blacklist DOLLARSIGN{HOME}/.mozilla
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /usr/src
blacklist /usr/games
blacklist /etc/init.d
blacklist /etc/rc0.d
blacklist /etc/rc1.d
blacklist /etc/rc2.d
blacklist /etc/rc3.d
blacklist /etc/rc4.d
blacklist /etc/rc5.d
blacklist /etc/rc6.d
blacklist /usr/local
blacklist /etc/rc.d
blacklist /etc/fstab
blacklist /etc/mtab
blacklist /etc/crypttab
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /etc/passwd
blacklist /boot
blacklist /usr/bin/*
blacklist /bin/*
ipc-namespace
caps.drop all
nodbus
nodvd
nogroups
netfilter
nonewprivs
noroot
protocol unix,inet,netlink
seccomp
shell none
no3d
nosound
nou2f
#private-bin which,firefox
private-dev
private-tmp
private-etc passwd,group,hostname,hosts,fonts,nsswitch.conf,xdg,resolv.conf,pango
#private-etc
/etc/firejail/firefox.profile (extraction):
...
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/firefox.local
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
blacklist ~/.config/qpdfview
blacklist ~/.local/share/qpdfview
blacklist ~/.pki
blacklist /usr/bin
blacklist /usr/sbin
blacklist /usr/src
blacklist /opt
blacklist /sbin
blacklist /usr/libexec
blacklist /bin
blacklist /usr/games
blacklist /etc/init.d
blacklist /etc/rc0.d
blacklist /etc/rc1.d
blacklist /etc/rc2.d
blacklist /etc/rc3.d
blacklist /etc/rc4.d
blacklist /etc/rc5.d
blacklist /etc/rc6.d
blacklist /etc/rc.d
blacklist /etc/fstab
blacklist /etc/mtab
blacklist /etc/crypttab
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /etc/passwd
blacklist /boot
blacklist /usr/local
blacklist ~./kde4
blacklist ~./config
blacklist ~./gconf
blacklist ~./gconfd
blacklist ~./local
blacklist ~./mcop
blacklist ~./pulse-cookie
blacklist ~./thumbnails
blacklist ~./Desktop
blacklist /home/secret
blacklist /home/toranonym
blacklist /media
blacklist /mnt
noblacklist /usr/bin/xargs
noblacklist /usr/bin/xauth
noblacklist /usr/bin/export
noblacklist /usr/bin/firefox
noblacklist /usr/bin/sg
noblacklist /usr/bin/gftp
noblacklist /usr/bin/gftp-gtk
noblacklist /usr/bin/gftp-text
noblacklist /usr/bin/tor
noblacklist /bin/certtool
noblacklist /bin/certutil
noblacklist /bin/basename
noblacklist /bin/bash.old
noblacklist /bin/p11tool
noblacklist /bin/pk12util
noblacklist /bin/smime
noblacklist /bin/shlibsign
noblacklist /bin/signtool
noblacklist /bin/signver
noblacklist /bin/ssltap
read-only /home/surfuser/.mozilla/firefox/default.profile/user.js
read-only /home/surfuser/torrc
read-only /home/surfuser/.mozilla/firefox/prefs.js
#blacklist ~/."moonchild productions"
include /etc/firejail/disable-common0.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
# caps.drop=CAP_AUDIT_CONTROL,CAP_AUDIT_WRITE,CAP_AUDIT_READ
ipc-namespace
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,netlink
seccomp
shell none
nosound
noautopulse
notv
# tracelog
no3d
nodbus
nodvd
nosound
nou2f
# ... see firejail --help, BEACHTE: Nicht alle Firejail-Optionen funktionieren für Firefox!
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
mkdir ~/.pki
whitelist ~/.pki
disable-mnt # or use blacklist /mnt and blacklist /media
private-dev # This might not always work with firefox
# experimental features
# private-bin sh,which,env,dbus-send,dbus-launch
# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
# private-dev # - prevents video calls going out
private-tmp
noexec DOLLARSIGN{HOME}
noexec /tmp
noexec /tmp2
... or, in order to start konqueror with priority 18 always by mouseclick out of the K-menu, type "sg surfgroup konqueror && renice -n 18 `pidof konqueror` &&kded4" resp. with firejail-options into the command-line, after editing the K-menu with kmenuedit. Konqueror loads websites even with process-priority 18
fabolous fast (its like beaming to visit anything anywhere at once with a Spaceship like Enterprise thanks Spock, as if Google has not been there for a long time...).We also started services like the cookie-management for surfuser named kded4. On our linksites we describe by reports and links more enfastening methods for the browser Firefox.
Notice, that there is a
patch for firejail (pclos2017) from year 2017/12 firejail-0.9.52-1.x86_64 making the private-option in all cases really effective. This means for our two examples for firejail for konqueror and firefox better to resign from this option for the first time, until firejail might gets reconfgured. To make firejail already work well without this option, we suggest the following configuration. Also notice, that it won´t fit for all programs (although quit all). In this case, single entries might have to be removed or added to store into new configuration files:
Pale Moon, notice: noscript and RequestBlockPolicyContinned do not block many scripts as they should do!
/etc/firejail/palemoon.profile
#### Especially for Pale Moon (browser):
blacklist /mnt
blacklist /media
blacklist /etc/cups
blacklist /usr/local
blacklist /usr/sbin
blacklist /sbin
blacklist /usr/libexec
blacklist /usr/games
blacklist /lib
blacklist /home/toruser
blacklist /home/user
blacklist /opt
blacklist /usr/lib
blacklist /usr/lib/python*
blacklist /usr/lib64/python*
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist DOLLARSIGN{HOME}/.wine
blacklist DOLLARSIGN{HOME}/.gnupg
ipc-namespace
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
#nogroup
shell none
#private-bin which,firefox
private-dev
private-tmp
private-etc passwd,group,hostname,hosts,fonts,nsswitch.conf,xdg,resolv.conf,pango
#
#### end Pale Moon (/etc/firejail/palemoon.profile)
/etc/firejail/
default.profile (preconfigured firejail (fc27, pclos2017, rosa2016.1) from August 2017 can be downloaded from our update section):
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#
blacklist DOLLAR{HOME}/.wine
blacklist DOLLAR{HOME}/.gnupg
caps.drop all
# netfilter
nonewprivs
noroot
protocol unix,inet,inet6
# seccomp
shell none # this is very important and suitable for many profiles, even konqueror, kmail and thunderbird, but not all profiles: also notice our comments about /etc/passwd
/etc/firejail/
disable-common.inc of firejail (rosa2014.1), alternatively set ACL-rules (setfacl):
noexec /usr/bin/bash # for some profiles like for Konqueror
noexec /bin/bash
# History files in HOME
blacklist-nolog DOLLAR{HOME}/.history
blacklist-nolog {HOME}/.*_history
blacklist {HOME}/.local/share/systemd
blacklist-nolog {HOME}/.adobe
blacklist-nolog {HOME}/.macromedia
read-only {HOME}/.local/share/applications
# X11 session autostart and more
blacklist DOLLAR{HOME}/Desktop
blacklist {HOME}/*.jar
blacklist {HOME}/logs
blacklist {HOME}/tor-browser
blacklist {HOME}/.xinitrc
blacklist {HOME}/.xprofile
blacklist {HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist {HOME}/.kde4/Autostart
blacklist {HOME}/.kde4/share/autostart
blacklist {HOME}/.kde/Autostart
blacklist {HOME}/.kde/share/autostart
blacklist {HOME}/.config/plasma-workspace/shutdown
blacklist {HOME}/.config/plasma-workspace/env
blacklist {HOME}/.config/lxsession/LXDE/autostart
blacklist {HOME}/.fluxbox/startup
blacklist {HOME}/.config/openbox/autostart
blacklist {HOME}/.config/openbox/environment
blacklist {HOME}/.gnomerc
read-only /etc
read-only /bin
read-only /usr/bin
read-only /usr/etc
read-only /proc
read-only /sys
read-only /dev
blacklist /etc/X11/Xsession.d/
blacklist /media/ # USB-Sticks / USB-Speicherstifte
blacklist /media/sicher/
blacklist /mnt
blacklist /opt
blacklist /misc
blacklist /secoff
blacklist /sid-root
blacklist /lost+found
blacklist /smack
blacklist /srv
blacklist /net
blacklist /initrd
blacklist /intel-ucode
blacklist /boot-save
blacklist /boot
blacklist /cgroup
blacklist /root
read-only /lib
read-only /lib64
read-only /usr/lib
read-only /usr/lib64 # Firefox: "read-only /usr/lib64/lib*" or read-only /usr/lib64/a*, ..., read-only /usr/lib64/z* without the firefox-directory
read-only /usr/lib64/kde4
blacklist /usr/local
blacklist /usr/bin/ssh*
blacklist /usr/src
read-only /usr/bin/firejail
read-only /usr/ssl
read-only /usr/libexec
read-only /usr/uclibc
read-only /usr/X11R6
read-only /usr/x86_64-linux-uclibc
read-only /usr/etc
read-only /usr/com
read-only /usr/docs
read-only /usr/enthought
read-only /usr/GNUstep
read-only /usr/selenium
read-only /usr/man
read-only /usr/mipsel-linux
read-only /usr/i686-w64-mingw32
read-only /usr/i486-linux-libc5
blacklist /bin/kill
blacklist /bin/rm
blacklist /bin/ping
blacklist /bin/mount*
blacklist /bin/umount*
blacklist /bin/ls*
blacklist /bin/sed*
blacklist /bin/rpm
blacklist /bin/pipeline
blacklist /bin/mv
blacklist /bin/cp
blacklist /bin/csh
blacklist /bin/dd
blacklist /bin/chmod
blacklist /bin/chown
blacklist /bin/dash
blacklist /bin/df
blacklist /bin/dmesg
blacklist /bin/ed
blacklist /bin/find
blacklist /bin/grep
blacklist /bin/exec
blacklist /bin/gunzip
blacklist /bin/gzip
blacklist /bin/gzexe
blacklist /bin/ln
blacklist /bin/login
blacklist /bin/lsblk
blacklist /bin/mail
blacklist /bin/mailx
blacklist /bin/mkdir
blacklist /bin/mksh
blacklist /bin/mknod
blacklist /bin/netstat
# blacklist /bin/ps
blacklist /bin/pwd
blacklist /bin/pipeline
blacklist /bin/rmdir
blacklist /bin/tcsh
blacklist /bin/touch
blacklist /bin/vi
blacklist /bin/zsh
blacklist /bin/tar
blacklist /bin/zless
blacklist /bin/zmore
blacklist /bin/more
blacklist /bin/date
blacklist /bin/dmesg
blacklist /bin/ash
blacklist /bin/awk
blacklist /bin/cg*
blacklist /bin/cd
blacklist /bin/bashb*
blacklist /bin/cat
blacklist /bin/env
blacklist /bin/get*
blacklist /bin/for*
blacklist /bin/homeof
blacklist /bin/foreground
blacklist /usr/bin/rpm*
blacklist /usr/bin/srm
blacklist /usr/bin/shred
blacklist /usr/bin/wipe
blacklist /usr/bin/mount*
blacklist /usr/bin/umount*
blacklist /usr/bin/mouse*
blacklist /usr/bin/ls*
# blacklist /usr/bin/r*
# blacklist /usr/bin/a*
# blacklist /usr/bin/c*
# blacklist /usr/bin/e*
# blacklist /usr/bin/f*
# blacklist /usr/bin/h*
# blacklist /usr/bin/i*
# blacklist /usr/bin/j*
# blacklist /usr/bin/perl*
# blacklist /usr/bin/s*
# blacklist /usr/bin/t*
# blacklist /usr/bin/u*
# blacklist /usr/bin/v*
# blacklist /usr/bin/w*
# blacklist /usr/bin/x*
# blacklist /usr/bin/y*
# blacklist /usr/bin/z*
blacklist /usr/libexec/mysql*
blacklist /usr/bin/mysql*
blacklist /usr/share/autostart
read-only /usr/share/cups
read-only /usr/share/cups/model
blacklist /usr/share/doc
blacklist /var/www
blacklist /var/www/html
# VirtualBox
blacklist DOLLAR{HOME}/.VirtualBox
blacklist DOLLAR{HOME}/VirtualBox VMs
blacklist DOLLAR{HOME}/.config/VirtualBox
# VeraCrypt
blacklist DOLLAR{PATH}/veracrypt
blacklist DOLLAR{PATH}/veracrypt-uninstall.sh
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist DOLLAR{HOME}/.VeraCrypt
# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock
# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
blacklist /etc/rpc*
blacklist /etc/rpm*
blacklist /etc/rc*
blacklist /etc/init.d
read-only /etc/printcap
blacklist /etc/pmount*
read-only /etc/PolicyKit
read-only /etc/php.ini
read-only /etc/passwd
read-only /etc/paper*
blacklist /etc/mpasswd
blacklist /etc/modprobe*
blacklist /etc/mke2fs*
blacklist /etc/libuser.conf
blacklist /etc/libvirt
blacklist /etc/ld.so*
read-only /etc/kde
blacklist /etc/init*
blacklist /etc/incron*
blacklist /etc/resolv.conf
blacklist /etc/host*
blacklist /etc/gshadow*
blacklist /etc/fstab*
blacklist /etc/freshclam*
blacklist /etc/dracut*
read-only /etc/Dir_COLORS*
blacklist /etc/dhcp*
read-only /etc/cups
blacklist /etc/crypttab*
blacklist /etc/cron*
blacklist /etc/csh*
blacklist /etc/cvs*
blacklist /etc/cpu*
blacklist /etc/conntrackd.conf
blacklist /etc/color*
blacklist /etc/cloud
blacklist /etc/clam*
blacklist /etc/chrony*
blacklist /etc/chilli*
read-only /etc/bash*
blacklist /etc/at
blacklist /etc/asound*
blacklist /etc/aide*
# General startup files
read-only DOLLAR{HOME}/.xinitrc
read-only DOLLAR{HOME}/.xserverrc
read-only DOLLAR{HOME}/.profile
# Shell startup files
read-only DOLLAR{HOME}/.antigen
read-only DOLLAR{HOME}/.bash_login
read-only DOLLAR{HOME}/.bashrc
read-only DOLLAR{HOME}/.bash_profile
read-only DOLLAR{HOME}/.bash_logout
read-only DOLLAR{HOME}/.zsh.d
read-only DOLLAR{HOME}/.zshenv
read-only DOLLAR{HOME}/.zshrc
read-only DOLLAR{HOME}/.zshrc.local
read-only DOLLAR{HOME}/.zlogin
read-only DOLLAR{HOME}/.zprofile
read-only DOLLAR{HOME}/.zlogout
read-only DOLLAR{HOME}/.zsh_files
read-only DOLLAR{HOME}/.tcshrc
read-only DOLLAR{HOME}/.cshrc
read-only DOLLAR{HOME}/.csh_files
read-only DOLLAR{HOME}/.profile
read-only DOLLAR{HOME}/.gnugp*
read-only DOLLAR{HOME}/gnupg
# Initialization files that allow arbitrary command execution
read-only DOLLAR{HOME}/.caffrc
read-only DOLLAR{HOME}/.dotfiles
read-only DOLLAR{HOME}/dotfiles
read-only DOLLAR{HOME}/.mailcap
read-only DOLLAR{HOME}/.exrc
read-only DOLLAR{HOME}/_exrc
read-only DOLLAR{HOME}/.vimrc
read-only DOLLAR{HOME}/_vimrc
read-only DOLLAR{HOME}/.gvimrc
read-only DOLLAR{HOME}/_gvimrc
read-only DOLLAR{HOME}/.vim
read-only DOLLAR{HOME}/.emacs
read-only DOLLAR{HOME}/.emacs.d
read-only DOLLAR{HOME}/.nano
read-only DOLLAR{HOME}/.tmux.conf
read-only DOLLAR{HOME}/.iscreenrc
read-only DOLLAR{HOME}/.muttrc
read-only DOLLAR{HOME}/.mutt/muttrc
read-only DOLLAR{HOME}/.msmtprc
read-only DOLLAR{HOME}/.reportbugrc
read-only DOLLAR{HOME}/.xmonad
read-only DOLLAR{HOME}/.xscreensaver
read-only /etc/X11
# The user ~/bin directory can override commands such as ls
read-only DOLLAR{HOME}/bin
# top user
blacklist DOLLAR{HOME}/.ssh
blacklist DOLLAR{HOME}/.cert
blacklist DOLLAR{HOME}/.gnome2/keyrings
blacklist DOLLAR{HOME}/.kde4/share/apps/kwallet
blacklist DOLLAR{HOME}/.kde/share/apps/kwallet
blacklist DOLLAR{HOME}/.local/share/kwalletd
blacklist DOLLAR{HOME}/.config/keybase
blacklist DOLLAR{HOME}/.netrc
blacklist DOLLAR{HOME}/.gnupg
blacklist DOLLAR{HOME}/.caff
blacklist DOLLAR{HOME}/.smbcredentials
blacklist DOLLAR{HOME}/*.kdbx
blacklist DOLLAR{HOME}/*.kdb
blacklist DOLLAR{HOME}/*.key
blacklist DOLLAR{HOME}/.muttrc
blacklist DOLLAR{HOME}/.mutt/muttrc
blacklist DOLLAR{HOME}/.msmtprc
blacklist /home/surfuser/.gnupg
blacklist /etc/shadow
blacklist /etc/gshadow
# blacklist /etc/passwd
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup
# system management
blacklist DOLLAR{PATH}/umount
blacklist DOLLAR{PATH}/mount
blacklist DOLLAR{PATH}/fusermount
blacklist DOLLAR{PATH}/su
blacklist DOLLAR{PATH}/sudo
blacklist DOLLAR{PATH}/xinput
blacklist DOLLAR{PATH}/evtest
blacklist DOLLAR{PATH}/xev
blacklist DOLLAR{PATH}/strace
blacklist DOLLAR{PATH}/nc
blacklist DOLLAR{PATH}/ncat
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
# disable terminals running as server resulting in sandbox escape
blacklist DOLLAR{PATH}/gnome-terminal
blacklist DOLLAR{PATH}/gnome-terminal.wrapper
blacklist DOLLAR{PATH}/xfce4-terminal
blacklist DOLLAR{PATH}/xfce4-terminal.wrapper
blacklist DOLLAR{PATH}/mate-terminal
blacklist DOLLAR{PATH}/mate-terminal.wrapper
blacklist DOLLAR{PATH}/lilyterm
blacklist DOLLAR{PATH}/pantheon-terminal
blacklist DOLLAR{PATH}/roxterm
blacklist DOLLAR{PATH}/roxterm-config
blacklist DOLLAR{PATH}/terminix
blacklist DOLLAR{PATH}/urxvtc
blacklist DOLLAR{PATH}/urxvtcd
blacklist DOLLAR{PATH}/xterm
blacklist DOLLAR{PATH}/konsole
blacklist DOLLAR{PATH}/rxvt
blacklist DOLLAR{PATH}/lxterminal
read-only /etc/firejail
blacklist /usr/bin/ssh*
blacklist /usr/bin/rlogin*
blacklist DOLLAR{HOME}/.gftp/cache
blacklist DOLLAR{HOME}/Dokumente
blacklist DOLLAR{HOME}/Video
blacklist DOLLAR{HOME}/Bilder
blacklist DOLLAR{HOME}/Audio
blacklist DOLLAR{HOME}/Texte
Now start Pale Moon (similar Firefox with default.profile instead of palemoon.profile):
| knemo && sg surgruppe "unshare firejail --nice=19 --profile=/etc/firejail/palemoon.profile /usr/lib64/palemoon/palemoon --no-remote &" && sg surfgruppe "tor -f /etc/tor/torrc&quto; && export RESOLV_HOST_CONF="/etc/hosts" |
It is possible to enter this command-line into a startup under "command." to start Pale Moon by one mouseclick only.
Small disadvantage: Process firejail for the browser has to be killed, before any package-installations are possible. Generally all processed started by the user surfuser can be terminated through the command
"killall -u surfuser", as dnsmasq might run under surfuser at least by the command "killall firejail" from time to time, before too many firejail are running, so that all still running firejail-processes terminate. It is recommended to create a small entry with user root in the K-Menu and/or the same entry for the task line.
General chroot and suid paranoia
chroot is one of the most powerful possibilities to restrict a daemon or a user or another service. Just imagine a jail around your target, which the target cannot escape from (normally, but there are still a lot of conditions that allow one to escape out of such a jail). You can eventually create a modified root environment for the user or service you do not trust. This can use quite a bit of disk space as you need to copy all needed executables, as well as libraries, into the jail. But then, even if the user does something malicious, the scope of the damage is limited to the jail.
Many services running as daemons could benefit from this sort of arrangement. The daemons that you install with your Debian distribution will not come, however, chrooted per default.
This includes: name servers (such as bind), web servers (such as apache), mail servers (such as sendmail) and ftp servers (such as wu-ftpd). It is probably fair to say that the complexity of BIND is the reason why it has been exposed to a lot of attacks in recent years (see Securing BIND, Section 5.7).
However, Debian does provide some software that can help set up chroot environments. See Making chrooted environments automatically (depicted in the following).
Anyway, if you run any service on your system, you should consider running them as secure as possible. This includes: revoking root privileges, running in a restricted environment (such as a chroot jail) or replacing them with a more secure equivalent.
However, be forewarned that a chroot jail can be broken if the user running in it is the superuser. So, you need to make the service run as a non-privileged user. By limiting its environment you are limiting the world readable/executable files the service can access, thus, you limit the possibilities of a privilege escalation by use of local system security vulnerabilities. Even in this situation you cannot be completely sure that there is no way for a clever attacker to somehow break out of the jail. Using only server programs which have a reputation for being secure is a good additional safety measure. Even minuscule holes like open file handles can be used by a skilled attacker for breaking into the system. After all, chroot was not designed as a security tool but as a testing tool.
Making chrooted environments automatically
There are several programs to chroot automatically servers and services. Debian currently (accepted in May 2002) provides Wietse Venema´s
chrootuid in the chrootuid package, as well as
compartment and
makejail. These programs can be used to set up a restricted environment for executing any program (chrootuid enables you to even run it as a restricted user).
Some of these tools can be used to set up the chroot environment easily. The makejail program for example, can create and update a chroot jail with short configuration files (it provides sample configuration files for bind, apache, postgresql and mysql). It attempts to guess and install into the jail all files required by the daemon using strace, stat and Debian´s package dependencies. More information at http://www.floc.net/makejail/. Jailer is a similar tool which can be retrieved from http://www.balabit.hu/downloads/jailer/ and is also available as a Debian package.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-chroot
But back to our text about LINFW3: Notice, that the NEW-LINE-BLOCK-only of Linfw3 prevents form all hacker except on established connections opened by the surfer, but not from any backdoors resp. trojans! Always try to use the NEW-LINE-BLOCK with the UID-( and/or GID-)owner-concept for surfuser and surfgroup together with the port-concept, while updates can be performed in the same way by root as the surfuser (and/or surfgroup)! Both, ALLOW-ROOT_LOGIN and ROOT_LOGIN shall be set to "no" and all access-rights upon directories and files set adequately. The computer-system will almost get serious hard hacked, if all this is not regarded!
mouseclick-fast work with the computer also has no chance to take into negative effect by following the methods of our excurs. For an always good and fast mount and umount of the USB-stick, actualize the filesystems to reisferfsprogs-3.6.24, e2fsprogs (1.43.2 from September 2016) resp. btrfs and manage the integration of the module usb_storage by modprobe. This module guarantees the fast secure mount and secure unmount of usb-media. To integrate it permanently for mdv2010 and other Linux, type into file /etc/modprobe.preload. If command chattr should keep its function instead, do not update the filesystem for loosing some kind of "id for owner-rights" But in this case, not much gets restricted, if chattr was not used before.
Our extra security-tip: Always click onto networkmanager-applet´s (el6), "exit" after the first dial-in into resp. after building up the first connection to the internet!
MAC Tomoyo profiles: /etc/tomoyo/*, kernel-boot-options security=tomoyo tomoyo=1.
# apparmor: application MAC-protection-shield and MAC-kernel-security-module to load within /boot/grub/menu.lst (grub1) by option security=apparmor apparmor=1
# dbus-apparmor&# within /etc/rc.local
# /usr/lib64/apparmorapplet&# /etc/rc.local
# example: apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &&/usr/bin/firefox # ( resp., still in order not to resign from firejail as introduced: ...&&sg surfgroup "firejail --profile=/etc/firejail/firefox-esr.profile /usr/bin/firefox" )
# /etc/apparmor/profiles/extras/* :
885 23. Jul 15:03 bin.netstat
1247 23. Jul 15:03 etc.cron.daily.logrotate
955 23. Jul 15:03 etc.cron.daily.slocate.cron
729 23. Jul 15:03 etc.cron.daily.tmpwatch
1733 23. Jul 15:03 README
1934 23. Jul 15:03 sbin.dhclient
1297 23. Jul 15:03 sbin.dhcpcd
682 23. Jul 15:03 sbin.portmap
855 23. Jul 15:03 sbin.resmgrd
489 23. Jul 15:03 sbin.rpc.lockd
1010 23. Jul 15:03 sbin.rpc.statd
1655 23. Jul 15:03 usr.bin.acroread
791 23. Jul 15:03 usr.bin.apropos
4569 23. Jul 15:03 usr.bin.evolution-2.10
697 23. Jul 15:03 usr.bin.fam
750 23. Jul 15:03 usr.bin.freshclam
1918 23. Jul 15:03 usr.bin.gaim
595 23. Jul 15:03 usr.bin.man
618 23. Jul 15:03 usr.bin.mlmmj-bounce
1041 23. Jul 15:03 usr.bin.mlmmj-maintd
1096 23. Jul 15:03 usr.bin.mlmmj-make-ml.sh
884 23. Jul 15:03 usr.bin.mlmmj-process
587 23. Jul 15:03 usr.bin.mlmmj-recieve
766 23. Jul 15:03 usr.bin.mlmmj-send
821 23. Jul 15:03 usr.bin.mlmmj-sub
803 23. Jul 15:03 usr.bin.mlmmj-unsub
2017 23. Jul 15:03 usr.bin.opera
1003 23. Jul 15:03 usr.bin.passwd
1025 23. Jul 15:03 usr.bin.procmail
1132 23. Jul 15:03 usr.bin.skype
580 23. Jul 15:03 usr.bin.spamc
904 23. Jul 15:03 usr.bin.svnserve
1185 23. Jul 15:03 usr.bin.wireshark
674 23. Jul 15:03 usr.bin.xfs
1022 23. Jul 15:03 usr.lib64.GConf.2.gconfd-2
857 23. Jul 15:03 usr.lib.bonobo.bonobo-activation-server
1258 23. Jul 15:03 usr.lib.evolution-data-server.evolution-data-server-1.10
1604 23. Jul 15:03 usr.lib.firefox.firefox
386 23. Jul 15:03 usr.lib.firefox.firefox.sh
654 23. Jul 15:03 usr.lib.firefox.mozilla-xremote-client
1018 23. Jul 15:03 usr.lib.GConf.2.gconfd-2
1230 23. Jul 15:03 usr.lib.man-db.man
889 23. Jul 15:03 usr.lib.postfix.anvil
2101 23. Jul 15:03 usr.lib.postfix.bounce
1269 23. Jul 15:03 usr.lib.postfix.cleanup
530 23. Jul 15:03 usr.lib.postfix.discard
626 23. Jul 15:03 usr.lib.postfix.error
1701 23. Jul 15:03 usr.lib.postfix.flush
624 23. Jul 15:03 usr.lib.postfix.lmtp
1839 23. Jul 15:03 usr.lib.postfix.local
1887 23. Jul 15:03 usr.lib.postfix.master
2443 23. Jul 15:03 usr.lib.postfix.nqmgr
607 23. Jul 15:03 usr.lib.postfix.oqmgr
859 23. Jul 15:03 usr.lib.postfix.pickup
497 23. Jul 15:03 usr.lib.postfix.pipe
709 23. Jul 15:03 usr.lib.postfix.proxymap
2464 23. Jul 15:03 usr.lib.postfix.qmgr
626 23. Jul 15:03 usr.lib.postfix.qmqpd
670 23. Jul 15:03 usr.lib.postfix.scache
2260 23. Jul 15:03 usr.lib.postfix.showq
1842 23. Jul 15:03 usr.lib.postfix.smtp
2120 23. Jul 15:03 usr.lib.postfix.smtpd
626 23. Jul 15:03 usr.lib.postfix.spawn
791 23. Jul 15:03 usr.lib.postfix.tlsmgr
904 23. Jul 15:03 usr.lib.postfix.trivial-rewrite
628 23. Jul 15:03 usr.lib.postfix.verify
788 23. Jul 15:03 usr.lib.postfix.virtual
1339 23. Jul 15:03 usr.lib.RealPlayer10.realplay
1074 23. Jul 15:03 usr.NX.bin.nxclient
1120 23. Jul 15:03 usr.sbin.cupsd
864 23. Jul 15:03 usr.sbin.dhcpd
6148 23. Jul 15:03 usr.sbin.httpd2-prefork
818 23. Jul 15:03 usr.sbin.imapd
652 23. Jul 15:03 usr.sbin.in.fingerd
1279 23. Jul 15:03 usr.sbin.in.ftpd
590 23. Jul 15:03 usr.sbin.in.ntalkd
825 23. Jul 15:03 usr.sbin.ipop2d
825 23. Jul 15:03 usr.sbin.ipop3d
1365 23. Jul 15:03 usr.sbin.lighttpd
756 23. Jul 15:03 usr.sbin.mysqld
920 23. Jul 15:03 usr.sbin.nmbd
830 23. Jul 15:03 usr.sbin.oidentd
735 23. Jul 15:03 usr.sbin.popper
1331 23. Jul 15:03 usr.sbin.postalias
1017 23. Jul 15:03 usr.sbin.postdrop
829 23. Jul 15:03 usr.sbin.postmap
1091 23. Jul 15:03 usr.sbin.postqueue
3435 23. Jul 15:03 usr.sbin.sendmail
2061 23. Jul 15:03 usr.sbin.sendmail.postfix
1564 23. Jul 15:03 usr.sbin.sendmail.sendmail
946 25. Mai 2012 usr.sbin.slapd
1140 23. Jul 15:03 usr.sbin.smbd
1068 23. Jul 15:03 usr.sbin.spamd
1686 23. Jul 15:03 usr.sbin.squid
3691 23. Jul 15:03 usr.sbin.sshd
1310 23. Jul 15:03 usr.sbin.useradd
1344 23. Jul 15:03 usr.sbin.userdel
1073 23. Jul 15:03 usr.sbin.vsftpd
2413 23. Jul 15:03 usr.sbin.xinetd
We never got any delays during the secure umount of USB-sticks anymore.
mdv2010 mouseclick-fast: Linux runs faster than Windows: mouseclick-fast mdv2010 on SSD. The code of Linux seems to be architectured and optimized well. Nevertheless even Linux can run slow too. Before we ask us, how this can happen and which software to install, we are interested in cpu and RAM killing daemons to deinstall resp. remove from harddisc. That are processes running in the background, for what we need a good process-manager indicating resource-consumption in percent. Therefore we have to start programs like ptree, "ps -All", Systemüberwachung or just by pressing the keys "ESC" and "STRG". In our case packagekit with an enormous consumption of around always 40% was found out to install him for el6, same for nspluginwrapper, leading us to set chmod 000 /usr/bin/nspluginscan. Think about kio_thumbnail, that gets started sometimes for creating symbols within the filemanager for certain files, in dolphin depending on the configuration for preview. The capacities reducing process named "prelinking" should almost be tolerated instead:
"prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way, that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Due to fewer relocations, the run-time memory consumption decreases as well (especially the number of unshareable pages). The prelinking information is only used at startup time if none of the dependent libraries have changed since prelinking; otherwise programs are relocated normally."
Depending on configuration in MCC-security, msec_find checks periodically, during the boot or never. In MCC, security, periodical checks you can set many msec-checks from daily to weekly, even better to "manual", if your mainboard does not have more than one #SMP (CPU). After surfing as surfuser or other communications within the net, all processes started by surfuser should be killed again: killall -u surfuser. See our data-sheed: With our decision for mdv2010 and a SSD this aim got reached once more. Also beware the recommended frequency for the RAM-Modules mentioned in the manual the mainboard not to plug in one of a lower frequency. Then all went mouseclick fast already by the mainboard model DDR2 533 Mhz (or higher) 19W, that is recommended in the data sheed below. We already got 533Mhz-nonames assembled in Germany - for free before ... working fine (in spite of DDR2 Kingston 1GB 333 Mhz)! Do not forget: The computer-system with SSD is running once more mouseclick fast, if hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6) is installed.
| SSD resp. HDD capacity used <=80% |
Boot-problems, do you have any problems during the booting? Just press the key for "i" for the interactive mode past the short message with udev. Now, by dialogs, it is possible to start each process manually or to resign from a process during the booting. On problems with the X-Server (graphic-card driver), start all processes except the display manager named "dm". On runlevel four less then five the terminal helps to enter all kind of commands to do the next things (like reinstalling the device driver or downgrading the X-Server from mdv2010.2 to mdv2010.0 by rpm again).
Be careful with the installation of further kernel, as some links in /boot (boot-partition) can mismatch refering to the settings in /boot/grub/menu.lst. Then you have to relink them by ";ln -sf TARGET linkfile" by booting with a repair-CD, a repair-USB-stick or a backuped, mirrored media (we do recommend anyway), in order to mount the boot-partition.
SSD-harddiscs are even better than the manufacturer do specify
publised article from 18. Juni 2014, 08:38 from admin, http://www.ahrens.de/ssd-festplatten-sind-noch-besser-als-die-hersteller-angeben/24906
SSDs are the better replacement for magnetic harddrives, for there do not consist of any mobile parts and hence they are up to 100 × faster during reads and 20 × durings writes and they seemed to be work quit endless. Test show, that they do not only work superfast, but also endure ten times longer as their manunfacturer promise. You can read the explicit test report on Golem.
Online update sources: http://fr2.rpmfind.net (FTP-downloads, here for el6, el7, mdv and mga) and http//pkgs.org (http-downloads for el6, el7, fc down to fc xx, mga down to mga xx), http://rpm.pbone.net/ (http- and ftp-downloads, el6, el7, all popular distros and versions)
The many security-checks within MCC, especially sectools, should be set from "daily", "monthly" and so on to "manually", in order to prevent irritating backgroud-processes.
MCC gives the opportunity in Network->,Network-Center to enable and disable tcp-timestamp, tcp-windows-scaling and dynamic IPv6. IPv6 uses static IP, so latter disabling is recommended.
29. October 2014, 08:49 Uhr, heise open
"The CentOS-team has released Version 6.6 of their Linux-distribution. It sources in Red Hat Enterprise Linux (RHEL) with the same version number Red Hat published two weeks ago. Therefore the new CentOS includes all improvements, under it a plenty of new and actualized driver, a device-mapper-target for the mount of a SSD as a cache for slow storage-media and the intergration of the High Performance Networking (HPN) that was costly up to now. You can get CentOS for free. It promises compatiblity to many distributions and is going to be fostered for a long time. Therefore the already some years old
CentOS 6 can be updated by security updates until the 30 of november 2026. Scientificlinux alias CentOS 6.7 is the second clone of RHEL 6.6, for Oracle has released the also cloned from this Oracle Linux 6.6 some days ago."
We found many packages by name already in SuSE 7.3 from year 2003 and Mandrake mdk10.0 from year 2004. The code of their includes must be read out well and better each day. Actual Gentoo-GLSA provides one of the best overview of updates for Linux: https://security.gentoo.org/glsa/, descended ordered by time. Typical cases for updates refer to arbitrary code execution, multiple vulnerabilities (especially buffer overflow), denial of service and information disclosure.In order to make the installation of listed updates possible, glibc has to be actualized. Not all updates from the listed ones like cpio should be installed, while those for tar, bzip, freetype rpm, openssl (tarball) and many other ones do function. Try the belonging tarballs or downgrade again, if not. Notice, that updates provided for the distribution, except named exceptions below, are almost sufficient, for mdv2010.1 and mdv2010.2 you can find them on ftp://fr2.rpmfind.net/linux/Mandriva/official/2010.1/x86_64/media/contrib/updates. fr2.rpmfind.net is a good installation and update source for most linux distribution except Debian (with its own deb-packages). Before a computer system gets updated, it always should be secured completely! For detailed troubleshooting, cases we did not have with mdv2010, sources out of the internet and newsgroup alt.linux.suse might be helpfuf too.
Linux permanently gets functional extended and therefore also the applications and libraries. Packet-Versions change as the distribution its version (by their own version-numbers) do.
In order to make a distribution error-free like in our example mdv2010, use a linux-friendly mainboard and install only those packets (and tarballs), that are belonging to the same installed version of a most complex distribution past 2003. In our example they are always ending with "...mdv2010". Pakets of next higher versions like mdv2011 should interest only after upgrading the glibc adequately or experimental. Nevertheless, also think of all the updates referring to the same distribution and its version, marked by name ending with "...version[distributionversion).update-number". To find such packages, take the installation-DVD/CD and make queries for rpmfind.net resp. mirror fr2.rpmfind.net. There, in the resulting listings, all packages are named explicitly in that way, that means by belonging distribution and version, but this might be the exception For mdv2010 a kernel-upgrade to mdv2012 by rpm-packages is possible. We do not recommend to change the distribution from mandriva to any other except many packages from Scientificlinux resp. ALT Linux resp. CentOS 6.7.
Does mdv2010 meet Fedora, actual fc23? Although mdv2010.1 and especially 2010.2 do not need any updates, you can upgrade mdv2010 to any actual linux, by installing the downward compatible C-standard-library glibc of rosa2014.1, mdv2012 or mga3 without rpm glibc itself out of glib2.0-common (fastest: actual pateched el6 or the sixtimes patched one from rosa2014.1 or mga3), glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-utils (el8, mga7, mga5, el6, rosa2014.1 or mga3), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8) glibc-profile (mga7, mga5, rosa2014.1 or mga3), glibc-static (el6) or glibc-static-devel (rosa2014.1, mga3), glibc-devel (rosa2014.1 or mga3), glibc-i18ndata (mga7, mga5, rosa2014.1 or mga3), glibc_lsb (mga3), libc6, mm-common (mga3), lib64glimm2 (mdv2010), gettext (rosa2014.1 or mga3), lib64gettext-misc (rosa2014.1), lib64gettextpo0 (rosa2014.1), lib64intl8 (rosa2014.1), lib64png16 (rosa2014.1), glib-networking (el6), lib64nspr4, lib64nss3, locales (rosa2014.1 or mga3), locales-en, locales-de, locales-fr, locales.jp and further more locales and the C++-standard-library stdcc++, all for x86_64 and i586, by ";rpm -U --force --nodeps". For glibc DO NOT INSTALL MORE mga3 OR mdv2012 than the listed ones! Now the hugh gate to any ultimative-
mouseclick-fast working linux world on SSD, even actual linux like today´s Fedora core 24, has opened for largest amount of software ever (even if not all of it)! You can upgrade and downgrade like by "elevators" reaching floors of distros and versions provided by listings from fr2.rpmfind.net. Warning: This does not function with all glibc without needing many other packages! You do not need them anymore. We repeat that software should do its function, while the rest is almost made secure by our excurs. After that we might install an actual version of the filesytem like e2fsprogs (1.43.2), reiserfsprogs (omv2015, mdv2011 or el7, el6), btrfsprogs and many updates recommended by Gentoo-GLSA, url see below. At last for our Linux-tuning, following the new filesystem-rpm, copy all files of /lib to /usr/lib, /lib64/* to /usr/lib64, /bin/* to /usr/bin, /sbin/* to /usr/sbin. After all the operations upon glibc, Linux is not able to run faster in future.
glibc (el8, pclos, mga7, mga5, rosa, mga3, mdv2012) complete for x86_64 (64 bit cpu), analogous i586 (32 bit), without making any problems: glibc (mga7, mga5), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), glibc-devel, libc6, glibc-i18ndata (mga7, mga5), glibc-profile (mga7, mga5), glibc-utils (mga7, mga5), glibc_lsb, gettext, locales, locales-en, locales-de, ..., gettext-base, lib64gettext-misc, lib64gettext-po0, lib64intl8, lib64png16, glib-gettextsize, glib-networking, glib2.0-common, lib64gio2, lib64glib-networking, lib64glib2.0, lib64glib2.0-devel, lib64glibmm2, lib64gmodule2, lib64gobject2, lib64ffi6, lib64gthread2, lib64stdc++, lib64QtGlib2.0, lib64packagekit-glib2 and prelink or glib2 (el7 or el6 instead of lib64gthread2 (rosa2014.1), lib64gio2 (rosa2014.1) and lib64gobject2 (rosa2014.1), we installed this one for this is el6 )
In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.
We decided us for the following GNU C Standard Library glibc:
glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2014.1), compat-glibc (el6), glibc-common (el6), glibc-i18ndata (mga7, mga5, rosa2014.1), glibc-headers (el8, el6), glibc-static (el6), glibc-utils (mga7, mga5, el6), glibc-profile (mga7, mga5, rosa2014.1), glibc-glibc_lsb (rosa2014.1), locales (rosa2014.1), glib2 (el6), prelink (rosa2014.1), lib64stdc++ (fc, pclos, mga, rosa2014.1 und el6) oder auch alles mga7, mga5 oder rosa2014.1
Paket-manager drakrpm offers the option named like "store in cache" in the menu for the seldom cases, where dependencies of packages are not solved correctly. Whenever this happens, downloaded packages should be copied from /var/cache/urpmi/rpm resp. /var/cache/urpmi/partial to any secure place for reinstallaton.
Depending on the graphic-card-driver x11-driver-video-name, for our platform with name=intel choose the X11-Server for mdv2010.0 even before mdv2010.1 refering to all files beginning with x11-server by name. Library-packages have to be installed for the X-Server too that are quit unknown in this context for you. To go sure with the X11-server of mdv2010.1, install all library-packages (lib64....rpm) you need for the program-packages at first, before the installation of the X-Server of mdv2010.1 takes place. So one of the last packages to update are those for the X-Server of mdv2010.1!
Either a programm is working or it is not, that means, it does its introduced functions or it does not. In the first case updates are seldom needed!
Be careful with the installation of many el6-packages. Some can restrict the functionality of mdv2010 (el6, el7), for expample usermode can effect the call by mouseclick of MCC. So collect all previous installed rpm of mdv2010 in a directory for possible reinstallation needs.
For SMP#1 (mainboard with one CPU only), wallpaper´s fly mode of a wallpaper is not recommended.
Method for prevention: already mentioned encryption of the partitons of the harddrive, also from USB-media, at least the encryption of some certain files. You see by all the already red marked passages and text: Although we dare to talk about security for the computer and although all payed amounts and sums in conjunction with computer should be transfered back, of course it is never learnt out.
Data backup and restore
Always keep all installation-packets accessible. During installation phases, even mdv2010 can conflict in some unsolved of the quit infinite package-dependencies.Check out some programs, if the stell do start and run. If the shell or any program does not, use a terminal to start them in order to watch out error-messages as the cause (for packages) why not, in more serious cases use the prefix strace: "strace command-executable-file". If mdv is not booting correctly, the key "i" should be pressed to get into the interactive mode, where almost all should be started except the displaymanager dm.
You can save your SSD possibly forever! Not only two SSD or one more harddrive are needed, you also need a bootable USB-stick or Mindi or Mondo or a Knoppix from DVD resp. on a 250 MB sized partition to execute the command dd for the backup and restore of partitions.
Recommended (PCWelt, 08.08.2015) commands are rsync or fontend grsync, alternatively rdiff, all packages resp. commands are provided for mdv2010. For SSD, in order to save power, work reliable and abstract, we recommend one more SSD or a magnetic backup harddisk, where partitions have to be mirrored 1:1 by partiton manager, rsync its helpful frontend grsync, the command rdiff or special mirror-commands. Such commands full of options really do their best, even over SSH. But for local backups and restores, that means, if you ask us, we just prefer the simple command
dd resp. safecopy, depictied below: unbeatbale! Although SSDs do not like dd very much by taking their time with it, dd always seems to reach its end at any time (dd works around 1 GiB per Minute refering to our SSD), or use dd-replacement safecopy, if not. Notice, that dd still does not provide any progress-bar. But do not believe in fairy tales as this certain country is known for, perfer dd, as for example neither the operating system nor oneself does know exactly, what all to backup, which partitions, directories and files, in order to pevent the worst one can happen: new installation, problems during restauration, file manipulation after hacker attacks with vandalism and/or data loss. So resign from so called backup-programs by backuping and restoring always 1:1-partitionwise with dd, here partition sda1 onto partition sdb1:
| dd if=/dev/sda1 of=/dev/sdb1 |
Use sdd instead of dd to see a progressbar.
With the reliable dd, your partitions get always restored, if damaged. Therefore never use any other backup-programs for your partitions, don´t be such fool ! It is dd always terminating fine, only not in the case, its environment got damaged, in our example Knoppix from an own partition from SSD resp. harddisc or DVD. Therefore keep the Knoppix-partition on all media, the backuped one and its backupening, beneath Knoppix on DVD and/or USB-Stick.
The only disadvantage of dd is, that dd does not show any progress bar.
If you want to be even more clever for making backups than even dd allows, use dcfldd. This el6-rpm works on mdv2010 like dd, but does show a progressbar. Some more extensions enable fexible-disc-wipes, an resume on error, the estimation of md5-checksums using additional options like "hash=md5" and "md5log=md5.txt" and splitting the output-files.
Although with dd all data backups managed well, even on SSD, it is warned against the use of this command for SSD. http://ubuntuwiki.de/files/ssd/grundlagen.html :
dd does fills unused and empty sectors and blocks with zero, so that the essential spare-area of SSD will not be free anymore. Even the for speed (access-times) important alignment becomes absurd.
The amount of write-operarations shortens its life-time.
Therefore the command cp and rsync are recommended.[...]
Clonezilla advantages in transferring only the non-empty blocks during the data-transfer.
Linux-Bot-Net, Heartbleed, Shellshock, glibc-Patch, Bad Cow, ... on the way to Zero Updates, zero Patches and zero Bugfixes
Following distribution offer updates for mdv2010: omv2015, mga, rosa2014, mdv, fc, el7 and el6.
In msec, set "allow-root-login" to "yes", during the updating processes, in order to guarantee the usage of bash-commands and the work with the package-manager rpm.
Make a 1:1-partitionswise backup on an extern media by reliable (even on encrypted partitions) working commands like dd from rescue-DVD or Linux on USB-stick, that can be used for restoring too.
One more aim of updating is to set "allow-root-login" again back to "no", to move all logfiles to shm- (RAM-) directory /tmp, to set the root-partition to "ro" (read-only) and to deactivate the journalling feature of linux-filesystems. This is performed at the very end of this section for reiserfs.
Many cases like bash with the so called Shellshock, glibc, Linux-botnets and openSSL and so on tell us about the of essentiality updates.
Security leak "Dirty Cow" within the Linux-kernel enpossibles prohibited extension of access rights: http://www.pro-linux.de/news/1/24096/sicherheitslücke-im-linux-kernel-ermöglicht-lokale-rechteausweitung.html. In this report apparmor is mentioned, that might generally help. Start apparmor in the background for example in /etc/rc.local by /usr/lib64/apparmorapplet&
This security-lack is known by kernel-developer for many years. Nevertheless, with linfw3 and msec level.secure configured as introduced, Dirty Cow becomes no risk, as an intrusion into the system is conditioned, regardless from patching the kernel or not.
Kernel 4.20.13 (PCLinuxOS2019) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel 2.6.39.4-5.1 (mdv2011) can be patched with patches from year 2011 up to date from http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/. We made good experiences with this patched kernel.
Plenty of packages of mdv2010 resp. mdv2011 can be updated with CentOS 6, CentOS 7, Rosa2014.1 and Rosa2012, except KDE-Akonadi-Nepomuk for interal dependency (mdv2010: Version 4.4.5) and a few single packages. KDE can be updated completely.
KDE 4.4.5 includes many updates as mentioned by the report http://var-log.de/page/6/ from year 2008:
"For the release of 4.2 the KDE-Team fixed thousand errors and builds in many new features missed in KDE 4.2. This beta release gives the oppurtunity to check last errors and bugs. The KDE Team has published a list with significant improvements in 4.2 Beta 2. Since the first beta less than four weeks ago, 1.665 new errors were found out and 2.243 ones got corrected. Sine the release of KDE 4.1.0 more than 10.000 errors wth a strong view upon the stability of KDE 4.2 were fixed Past KDE 4.2 many monthly updates are expected and finally, in summer 2009, KDE 4.3. Signficant improvements of Plasma and KWin, the KDE Workspace... ."
Our KDE solution: KDE as a mix out of kde 4.4.5/4.4.9 (mdv2010.2, November 2011), kde-4.3.4 (el6, actual patched up to year 2026) and kde (4.4.4, OpenSuSE 11.2, end of year 2013)
By mdv2010.0, mdv2010.1, mdv2010.2 and some mdv2011.0, most versions and releases of RPM-packages got fixed and patched well for functionality for around two years- similar to el6 and el7 from year 2010 to 2026. . All update-rpm listed below will lead into an up to year 2026 actual, well functioning Linux. Only the two up to five times patched KDE 4.4.5 (mdv2010.2) is not upgraded. You can keep it or try KDE (omv2015) or KDE of mandriva-successor Rosa2014.1 from pkgs.org for example. In the case of dependency-conflicts, dare to install by package-manager rpm with the option --force and --nodeps (analog Debian), if you keep the preceeding packages beneath you and if you care for the installation packages that are still required, listed by rpm during the installation-process.
Except for Browser, bash and OpenSSL, mdv2010 and Linfw3 make it possible: processes for net-connections (inclusive server resp. all daemons resp. services to activate explicilty) have to be started, build-up and therefore posessed only by the password-protected user "surfuser" belonging to group "surfgroup", while LINFW3 is blocking all other processes not started by surfuser, even those owned by root. The next thing, Linfw3 does, is opening only those ports belonging to such activated services. Furthermore it should be not allowed to chroot, while surfuser is not a member of any user and not any group except surfgroup. To login as root, a root-login should generally not be allowed by configuration (MCC, security settings), and a user must be a member of the group wheel, in order to login as root, what can reduce the time for different works without riscing to much, if LINFW3 protecting with UID-owner surfuser and GID-owner gets activated. Using MCC security an accessless root access can be configured for the command su. In the device-configuration-file /etc/fstab It is also possible, to set the option "noexec" each partition, especially for the partition including the files owned by the user "surfuser". Then the configuration of file-release within LAN and access-rights for directories and files can even prevent the reading of directories and files with sensible data ("chown non-surfuser; chmod 700"): the concept of UNIX-(file)systems! Its a remaining matter of communication-protocols themselves, that can be used (build-up) by the password-protected surfuser through belonging port-releases only. To be more careful than careful, move all sensilbe data to a one more encryted partition or an encrypted extern media, that should be plugged in or read again only the time, suspect services are not activated (when belonging connections are not build-up). This fact is described more in detail below in our section for LINFW3. You can even resign from many updates. But nevertheless, to go sure (over sure) as promised, we are going to describe, how mdv2010 can be kept uptodate almost by the until 2026 actualized Scientificlinux alias CentOS 6 resp 7.
Good luck: Unix/Linux always consists in main of the same software, kernel, grub/lilo, dracut, glibc, X11-Server, window- and desktop-manager like Gnome and KDE with konqueror and kpim out of kmail, knodes, clamav, firefox, OpenOffice and koffice, gimp and so on. In comparison with non OpenSource, this opensource is checked many times for it is read out well. Notice, that many new updates, patches and bugfixes listed in fr2.prmfind.net for mdv and GLSA Gentoo just rely on functionality extensions. Therefore, do not use them. They might not work!
Everything of mdv2010 will run fine and stable on your SSD, except the KDE leading to sink plasmoid Daisy, belonging to the plasmoids like such for the wheather-forecast for example, exchanging data with extern sources. You can always deinstall and deactivate such insecure behaving plasmoids. Although the upgrade of glibc to rosa2014.1, mga3 or higher widens the possibilities, mdv2010 bewares its sensibilities in the case of the installation of wrong packages, that can lead to serious hard system-breakdowns and hangups. Think like the MCC-packet-manager. Beware previous installed packages, until mdv2010 runs stable (reinstallation: rpm -U --force and/or --nodeps).
Have a look into the
changelog of each packet. There you get to know about all modificiations by date and the name of the day of the week in descending order, the modification time, name resp. e-mail-adresse of each author (programmer), who has programmed the modification and a short description of the modification itself. It must be at last the publishing organisation, who has checked all this information out using tools like diff. Some updated resp. patched packages can be found out immediately by their high version release number (el6 and el7) like NetworkManager-xxxx-107 (el6), where 99 stands for the 99th release or in addition by the number after the point at the end of the version number (mdk, mdv, mga) like NetworkManager-xxxx-25.2, where "2" stands for the second patch of the version´s release. If the version number differs in the first ciphers, the package almost contains serious hard changes. If the version number differs in end-ciphers only from the already installed one, it gets more likely, that you can use this package for replacement. Right before the version number resp. the end of the package name the short name for the belonging distribution, followed by the kind of processor is named resp. the "noarch" in the case of independency from the processor type. A third person not named in the changelog and list of the packager names would have as much difficulties with the manipulation of the packets as cracking and hacking the computer with the rpm-command and the files on the storage media.
Filesystem, you have several opportunities: reiserfsprogs (omv2015, omv2014) or reiserfs-utils (fc23, el7, el6), e2fsprogs (1.43.2) with lib64ext2fs (rosa2014.1) without uClibc (omv2014, omv2015), uclibc-lib64ext2fs (omv2014, omv2015)
reiserfs-3.6.24-8.5 (OpenSuSE Factory) with libreiserfs, libreiserfs-progs and libreiserfscore0.
The harddrive (SSD) causes errors for some reiserfs-versions during the system boot and checks by reiserfsck. Therefore our choice consists of reiserfsprogs (omv2015) and e2fprogs (rosa2014.1) together with lib64ext2fs (rosa2014.1)- causing no errors anymore.
hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6): adequate SSD-parameters within /etc/rc.local (hdparm -W1a0A0 /dev/sda) support our aim: all on SSD and mouseclick-fast! MCC, gparted and disk manager Palimpsest provides overview, some administration, benchmarks and partitioning.
Notice, that all package-dependencies have to be installed with one package. Otherwise this can cause a state similar to buffe-overrflows, where CPU and RAM seem to have lost their capacities quit working endless.
Next point: specific microcode-update for the CPU. For the mainboard we introduce in data-sheed, ucode-intel (OpenSuSE) and ucode-intel-blob (OpenSuSE) should be installed to follow our aim of
mouseclick-fast PC-working.
All updates (since) mdv2007.0 and mdv2010 do regulary refer to, and this is the advantage of UNIX-Systems: buggish software (not much for mentioned mdv), all net-communication-programs like proxy (squid,...), MySQL, telephony, the browser (using ssl3.0 instead of tls as reported by three members of the Google-Team, that means all firefox up to an actual resp. TLS-using version 34 ( unpacking an easy by menu updateable, actual firefox into a directory like /usr/lib64/firefox and choosing "Update Firefox" out of the menu (same for Thunderbird into /usr/lib64/thunderbird), updating firefox in detail, see our section updating firefox. Such
How to block scripts and ads with an ad- resp. script-blocker like konqueror-adblock.so and adblockplus is much more simple than presented by their typical large resource-killing blocking-lists full of pregiven exceptions:
At first all blocking-scripts like easylist have to be removed out of AdblockPlus resp. other adblocker. Many of them contain exceptions. The special convenience for (more) exceptions has to be deactivated too by clicking upon the hook, so that the hook does not appear anymore.
Now, like firewall linfw3, the "trusted"-strategy, "forbidden is, what is not (explicitly) allowed" should be followed.
Therefore the only existant private ad- resp. scriptfilter should just include the following entries:
@@*.css*
||*.js/*
||*.com/*
||*.net/*
||*.de/*
||*.pl/*
*
or just the one single char for a star:
*
for all, that could ever be blocked from a website!
That´s all ! It is not a bad idea to allow all stylesheets (css) by adding the one more entry @@*.css* right at the top of the filter list. Very brave ones risk webbugs (scripts with an image output) filtered out by other extensions and add @@*.jpg* , @@*.jpeg*, @@*.gif* and @@*.png* too, that can be allowed in ABP resp. ABL as exceptions each website loaded. Filter-lists from elsewhere like the up-to-date to keep EasyList with their many exceptions are not needed anymore! They just were nonsens, as no more entries are needed (eventually except some more top-sublevel-domains (country-codes) in addition to "*.de/*".
So a single char for the star apriori "*"does already do its very best!
Our final solution: Our complete ABP- resp. ABL-filter-list, especially at the very beginning, just has got the includes:
ABP (Firefox <= ESR 52.9.0):
@@*.png*
@@*.css*
@@||*.gif*
@@||*.jpeg*
@@||*.jpg*
@@||*.svg*
*
*.js*
*.pl*
*
ABL (Pale Moon):
@@*.png
@@*.css
@@*.gif
@@*.jpeg
@@*.jpg
@@*.svg
*.js
*.pl
*
without any further entries and without any imported filter-lists (full of exceptions and superfluous rules) like EasyList.
Good luck: These few snake-speeded entries do not influence the surf-speed measurable much.
In order to make visible now, what should in your eyes be visible from a loaded website, EXCEPTION by exception should be added to the list almost using wildcards resp. regular expressions after the build-up of the side, until the hidden (blocked) parts get visible. At first, if the css-entry should be missing, think of all Stylesheets (css) to consider as exceptions, while especially most or all Javscript (.js) should still be blocked. To go sure, block *.js and *.pl beneath the general "*" from above in future (as already made in our list above). Enter exceptions for not shown images (if belonging exceptions from above should still be missing) by entries like https://.../*.jpg and https://.../*.png too.
After that, the webside should be loaded one more time (refresh) and JavaScript should be disabled again for the next certain time by "javascript.enabled false" passing "about:config". If the filters of ABP resp. ABL are set as recommended above, beware for Firefox-ESR (and, if you want, also Pale Moon) "javascript.enabled true" as all javascript is already filtered out. Listed extensions will really work fine, if set to true.
Do the same with Firefox-Extension RequestPolicyBlockedContinued just to be even more careful or to do it more additionally, as unknown Tracker already got blocked with their first appearance, until they get allowed by the user.
In the first configuration window set all three hooks, therewith new rules entered can be stored durable and not only temporary.
Next configuration window deals with the ruleset. Enter a new rule by electing "block" and entering a * (star) again into all fields for the new rule. Now the self-blockade of a webside (resp. server) has to be prevented by allowing the belonging rule just for the trusted server itself. If not, images and other objects might get blocked.
There are pregiven rules within the ruleset of RequestPolicyBlockContinued located in a directory far sub /home/surfuser/.mozilla/firefox/default-or-standard-profile with the some json-typed files like allow_functionality.json, allow_sameorg.json and so on, that can also be overworked, if you want..
The private mode can be deactivated by clicking upon settings in Firefox ESR, although this won´t be the truth, that means he won´t become really deactivated through using extension Private Tabs. Or take it the other way: activate the private mode and deactivate him by clicking upon the TAB to deactivate the private mode through Private TAB.
Incognito-mode for the protection of the privacy during surfing, PC-WELT.de, 03.11.2019
Windows-10-Browser Edge as much as Google Chrome and Firefox offer a mode leaving no tracks during the surfuing on the PC behind. Howto use this mode in a reliable way:
Whenever you change into the private surf-mode, all during the visit of websites stored information like cookies, history protocols, web-cache, images and videos are deleted resp. removed past the closing of the browser.
This especially interests, if you are surfing with a foreign computer in the web, in order to avoid leaving any tracks behind you. But this is an advantage for your own PC too, as the deletion (removal) of your surf data at the end of each internet-session makes it more difficult for the owner resp. administrators of websites to create user profiles.
[...] Notice, that the private mode does not care for anonymity in the internet Your internet provider (ISP), the administrator of the router of communities or the net administrator in the net of a company is still enabled to evaluate the sites visisted, the links clicked and data transferred.
https://www.pcwelt.de/a/inkognito-modus-privatsphaere-beim-surfen-schuetzen,3450334
Did we mention it, didn´t you know? PHP- and Perl-scripts are interpreted always at first and serversided each website load, before the Javascript and HTML is interpreted client-sided (on the side of the surfer resp. user).
.
In the hope,.that user.js from KaiRaven and other authors is copied into the standard-profile-directory, that linfw3 and firejail got installed and configured, /etc/hosts from far below of this website is located and the DNS (in the priority local followed by remote and pdnsd) configured well, the surfing with Firefox ESR can right begin!
During the surfing, noscript and RequestBlockPolicyContinued have to be analyzed past the load of a website. It is your own, free choice to filter out or to pass listed scripts by. If a webseite requires cookies, they can be allowed by the CookieController.
All, that has to be done now after the configuration of listed extensions too, is to start the browser and to click upon the first and only appearing TAB to make it private (working in private mode).
Nevertheless what we have seen works on the base of "trusted" like linfw3 and openssl upon ssl-certificates and so on might do.
But AdblockPlus changed its layout in November 2017 making such configuration impossible. Try elder versions downloadable from fr2.rpmfind.net named mozilla-adblockplus-2.9.1-27 (fc28, fc27, el7, el6), noscript: mozilla-noscript (-5.1.8.6, 5.1.8.5, 5.1.7-1, fc28, fc27, el7, el6) or seamonkey-noscript (el6, 5.1.9-3, recommended noscript for ff-ESR-52.9.0; contains the xpi-installation-file), http://ftp.pbone.net/mirror/archive.fedoraproject.org/fedora/linux/updates/25/armhfp/Packages/m/mozilla-noscript-5.1.7-1.fc25.noarch.rpm.
Noscript, rpm mozilla-noscript (fc29, el7, el6) can enforce ssl-encryption (https) of addressed websites, by entering in a great text-input-field of register HTTPS:
*
Write exceptions below each other in the field below. Firefox-extension https.everywhere, rpm mozilla-https-everywhere (fc, el6 or mozilla.org), is not needed anymore.
The important Firefox-security-extension RequestPolicyBlockedContinued, rpm: mozilla-requestpolicy (-1.0-0.22.20171019git633302 fc29, el7, el6) might contain some pre-defined rules, but it also enables the adding of temporary as much as persistent new rules for user. They might be set generally under target and therefore not under start, using * for any port. You might want to set them for extern loaded fonts and google like *syndication*:*/*, *analytics*:*/*, *tagmanager*:*/*, *usercontent*.*:*, *google.*:*/* and other targets. Install this extension past ABP, but before noscript.
Searchplugins (for integrated in search engines) of Firefox /usr/lib64/firefox/browser/searchplugins can be removed except one. If you remove all, the context menu might not build up completely, for example copy and paste of text and links might not function anymore.
To go sure, remove the search-parameters within the remaining xml-searchplugin by a text-editor like nano.
Incognito-Mode: Protecting the privacy during the surfing, PC-WELT.de, 06.04.2018
Windows-10-Browser Edge as well as Google Chrome and Firefox provide a mode keeping from tracking the PC.
[...] Firefox-users have to click upon the icon with the three horizontal bars right up in the menu to choose "private windows" or by pressing the keys STRG-P.
https://www.pcwelt.de/a/inkognito-modus-privatsphaere-beim-surfen-schuetzen,3450334
Certifcates: Following permissions can be set to the values "Always-ask", "allow" and "block" for each website by clicking on the symbol for the lock and register "Permissions":
Remove (quit) all URL resp. URI the browser (including Pale Moon and Tor-Browser) has stored and lists through about:config
about:config -> type into the address-search-line http -> remove listed URL by clicking upon them and exchanging them through a blank (empty string).
Access Your Location
Intall Add-ons
Load Images
Maintain Offline Storage
Open Pop-up Window
Receive Notifications
Set Cookies
Share the Screen
Use the Camera
Use the Microphone
Finally one should have read the report for the configuration of firefox-ESR by "about:config": Firefox-Tuning zur Absicherung und Anonymisierung, https://wiki.kairaven.de/open/app/firefox, to understand what we do next. (!!!)
There the configuration of almost overwritten values out of about:config should happen through mozilla.cfg. But this does not work. The include of this file has to be taken over (copied) from mozilla.cfg (installation directory) into defaults/local-settings.js. Now the "forgotten" values are almost set in Firefox ESR.
All entries are listed in http://kb.mozillazine.org/About:config_Entries ´
/******************************************************************************
* /home/surfuser/.mozilla/firefox/your_default_profile_directory00-or-so/user.js *
* https://github.com/pyllyukko/user.js *
******************************************************************************/
// http://kb.mozillazine.org/User.js_file
//
// always enable mouseclick on links and formular text inputs:
// (user_pref("network.protocol_handler.expose_all", true)
//
//====================================================
// section TOR-BROWSER (ff-ESR) only
// ===================================================
// The meek-http-helper extension uses dump to write its listening port number
/// to stdout.
// user.js for Pale Moon and Firefox-ESR-52.9
// pale moon- and therefore also ff- extension SecretAgent for setting and changing user agents
user_pref("extensions.SecretAgent.StealthMode", true);
// enable javascript, so that ABP (fc29) of ff will work, but disable it for Pale Moon because of ABL. ABL works even, if disabled.
user_pref("javascript.enabled", true);
user_pref("browser.addon-watch.ignore", "");
// block images: 3: from third parties
user_pref("permissions.default.image", 3);
// Next one might block webbugs etc.:
user_pref("security.xcto_nosniff_block_images", true);
//
// disable ftp
user_pref("network.protocol-handler.external.ftp" true);
//
//Proxy: always use anonymizing Tor each ff-start
user_pref("network.http.proxy.pipelining", false);
// Settings won´ get stored, when using: user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.type", 1);
// DNS for Tor: remote DNS lookup at first or local DNS lookup at first. We care especially for the case "false" in future in the excurs-section for DNS-Server
user_pref("network.proxy.socks_remote_dns", false);
// Erhöhung der Privatsphäre gegenüber Suchmaschinen: Wie bereits dargestellt übermittelt Firefox standardmäßig jeden einzelnen Buchstaben bzw. unsere Eingabe an eine
// Suchmaschine, ohne dass wir die Suchabfrage überhaupt abgesendet haben. Diese "Komfortfunktion" wird über die user.js deaktiviert. Wer die Funktion beibehalten möchte, der kann optional
// folgende drei Zeilen einfach entfernen:
// ## Disable location bar LIVE search suggestions
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.urlbar.suggest.searches", false);
// some more settings
//
// Strict user.js: Die strenge user.js blockiert restriktiv vieles, was für Tracking sowie Sicherheit relevant sein könnte. Neben Trackinschutz sollen auch Möglichkeiten für Angriffe auf den Browser minimiert werden.
// Diese Einstellungen sind für Risikogruppen geeignet, die für höhere Sicherheit einige Einschränkungen in Kauf nehmen.
// Javascript Just-in-Time-Compiler sind aus Sicherheitsgründen deaktiviert, was die ausführung von Javascript auf einige Webseiten verlangsamt.
// Anzeige von PDF Dokumenten im Browser ist deaktiviert.
// SVG, Flash, WebGL und WebGL2 sind komplett deaktiviert.
// Auto-Play und Hardware Video Decoding sind deaktiviert.
// Closed Source Video Codecs werden nicht verwendet.
// Favicons werden nicht geladen und nicht gespeichert.
// Es werden keine Login Credentials gespeichert.
// Unverschlüsseltes HTTP und FTP sind abgeschaltet, nur HTTPS möglich.
// Push Services sind deaktiviert.
// Der Download von externen Schriftarten ist auch für Symbole deaktiviert. Um die resultierenden Einschränkungen etwas abzumildern, kann man häufig genutzte Webicon Fonts wie den Awesome Webicon Font lokal
// installieren. Linux Distributionen enthalten passende Pakete:
// Ubuntu: > sudo apt install fonts-font-awesome
// Fedora: > sudo dnf install fontawesome-fonts fontawesome-fonts-web
// https://privacy-handbuch.de/handbuch_21u.htm
user_pref("noscript.preset", "medium");
user_pref("media.video-queue.default-size", 0);
user_pref("status4evar.advanced.status.detectVideo", false);
user_pref("devtools.cache.disabled", false); // must be set to false, true might cause screen-flickering!
user_pref("devtools.browserconsole.filter.secerror", false);
user_pref("devtools.command-button-frames.enabled", false);
user_pref("devtools.command-button-responsive.enabled", false);
user_pref("devtools.command-buttion-splitconsole.enabled", false);
user_pref("media.gmp-manager.certs.2.commonName", "");
user_pref("media.gmp-manager.certs.1.commonName", "");
user_pref("gecko.handlerService.schemes.mailto.0.name", "");
user_pref("gecko.handlerService.schemes.mailto.1.name", "");
user_pref("general.useragent.compatMode.gecko", false);
user_pref("general.useragent.compatMode", 0);
user_pref("general.useragent.override.aol.com", "");
user_pref("general.useragent.override.netflximg.net", "");
user_pref("general.useragent.override.players.brightcove.net", "");
user_pref("general.useragent.override.deviantart.net", "");
user_pref("general.useragent.override.bing.com", "");
user_pref("general.useragent.override.calendar.yahoo.com", "");
user_pref("general.useragent.override.chase.com", "");
user_pref("general.useragent.override.citi.com", "");
user_pref("general.useragent.override.dailymotion.com", "");
user_pref("general.useragent.override.deviantart.com", "");
user_pref("general.useragent.override.dropbox.com", "");
user_pref("general.useragent.override.firefox.com", "");
user_pref("general.useragent.override.gaming.youtube.com", "" );
user_pref("general.useragent.override.github.com", "");
user_pref("general.useragent.override.google.com", "");
user_pref("general.useragent.override.googlevideos.com", "");
user_pref("general.useragent.override.gstatic.com", "");
user_pref("general.useragent.override.humblebundle.com", "");
user_pref("general.useragent.override.mozilla.com", "");
user_pref("general.useragent.override.msn.com", "");
user_pref("general.useragent.override.netflix.com", "");
user_pref("general.useragent.override.outlook.com", "");
user_pref("general.useragent.override.patientaccess.com", "");
user_pref("general.useragent.override.soundcloud.com", "");
user_pref("general.useragent.override.web.whatsapp.com", "");
user_pref("general.useragent.override.www.amazon.com", "");
user_pref("general.useragent.override.yahoo.com", "");
user_pref("general.useragent.override.yuku.com", "");
user_pref("general.useragent.override.addons.mozilla.org", "");
user_pref("general.useragent.override.altibox.dk", "");
user_pref("general.useragent.override.altibox.no", "");
user_pref("general.useragent.override.mozilla.org", "");
user_pref("general.useragent.override.netflximg.com", "");
user_pref("general.useragent.override.youtube.com", "");
user_pref("general.useragent.override.web.de", "");
user_pref("general.useragent.override.privat24.ua", "");
user_pref("general.useragent.override.players.brightcove", "");
user_pref("general.useragent.override.hitbox.tv", "");
user_pref("general.useragent.override.live.com", "");
user_pref("security.ssl.disable_session_identifiers", false);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.gcli.imgurClientID", "");
user_pref("devtools.remote.wifi.visible", false);
user_pref("browser.dom.window.dump.enabled", true);
//
// Enable (here disable) SPDY and HTTP/2 as they are in Firefox 38, for a matching ALPN extension.
// https://trac.torproject.org/projects/tor/ticket/15512
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("network.http.spdy.coalesce-hostnames", false);
//
// https://support.mozilla.org/en-US/questions/1043508
user_pref("dom.disable_beforeunload", true);
// Disable safe mode. In case of a crash, we Don´t want to prompt for a
// safe-mode browser that has extensions disabled.
// https://support.mozilla.org/en-US/questions/951221#answer-410562
user_pref("toolkit.startup.max_resumed_crashes", -1);
//==============================================
// end section TOR-BROWSER
//==============================================
// Set a failsafe blackhole proxy of 127.0.0.1:9, to prevent network interaction
// in case the user manages to open this profile with a normal browser UI (i.e.,
// not headless with the meek-http-helper extension running). Port 9 is
// "discard", so it should work as a blackhole whether the port is open or
// closed. network.proxy.type=1 means "Manual proxy configuration".
// http://kb.mozillazine.org/Network.proxy.type
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9);
// Make sure DNS is also blackholed. network.proxy.socks_remote_dns is
// overridden by meek-http-helper at startup.
user_pref("canvas.capturestream.enabled", false);
user_pref("security.csp.experimentalEnabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.permissionPrompts.showCloseButton", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.resistFingerprinting", true);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
user_pref("security.family_safety.mode", 0);
user_pref("social.directories", "");
user_pref("svg.disabled", true);
user_pref("extensions.enabledAddons", "meek-http-helper@bamsoftware.com:1.0");
user_pref("network.protocol-handler.expose.ftp", false);
user_pref("network.protocol-handler.external.ftp", false);
user_pref("image. animation_mode" "normal");
user_pref("update. interval", 0);
Determines when images should be loaded.
1 (default): Load all images
2: Do not load any images
3: Load images from same (originating) server only
Note: This preference was previously known as
user_pref("permissions.default.image", 1);
//
// PC-Welt.de, https://www.pcwelt.de/ratgeber/Geheime-Tricks-der-Insider-Browser-Geheimnisse-8809751.html
//
user_pref("Media.navigator.enabled", false);
user_pref("Media.peerconnection.enabled", false);
user_pref("Browser.taskbar.previews.enable", false);
user_pref("Privacy.resistFingerprinting", true);
//
//
//
//
// Pale Moon Extension: Block Content Download
//
user_pref("extensions.mdsy.block.script", false)
user_pref("extensions.mdsy.block.xhr", true)
user_pref("extensions.mdsy.block.image", false)
user_pref("extensions.mdsy.block.media", true)
user_pref("extensions.mdsy.block.object", true)
user_pref("extensions.mdsy.block.font", true)
user_pref("extensions.mdsy.block.style", false)
/******************************************************************************
* SECTION: HTML5 / APIs / DOM *
******************************************************************************/
// recommended for Firefox-ESR
// listed settings contribute to anonymizing and increasing speed of firefox up to 100%
// copy to /home/user/.mozilla/firefox/*your_profile_default_directory/
// PREF: Disable Service Workers
// https://developer.mozilla.org/en-US/docs/Web/API/Worker
// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
// Unknown security implications
// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
user_pref("dom.serviceWorkers.enabled", false);
// PREF: Disable Web Workers
// https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers
// https://www.w3schools.com/html/html5_webworkers.asp
// NOTICE: Disabling Web Workers breaks "Download as ZIP" functionality on https://mega.nz/, WhatsApp Web and probably others
user_pref("dom.workers.enabled", false);
user_pref("browser.tabs.closeWindowWithLastTab", false);
// PREF: Disable web notifications
// https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501
user_pref("dom.webnotifications.enabled", false);
// PREF: Disable DOM timing API
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// https://www.w3.org/TR/navigation-timing/#privacy
user_pref("dom.enable_performance", false);
// PREF: Make sure the User Timing API does not provide a new high resolution timestamp
// https://trac.torproject.org/projects/tor/ticket/16336
// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
user_pref("dom.enable_user_timing", false);
// PREF: Disable Web Audio API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
user_pref("dom.webaudio.enabled", false);
// PREF: Disable Location-Aware Browsing (geolocation)
// https://www.mozilla.org/en-US/firefox/geolocation/
user_pref("geo.enabled", false);
// PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
// https://bugzilla.mozilla.org/show_bug.cgi?id=689252
user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
// PREF: When geolocation is enabled, don´t log geolocation requests to the console
user_pref("geo.wifi.logging.enabled", false);
// PREF: Disable raw TCP socket support (mozTCPSocket)
// https://trac.torproject.org/projects/tor/ticket/18863
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
user_pref("dom.mozTCPSocket.enabled", false);
// PREF: Disable DOM storage (disabled)
// http://kb.mozillazine.org/Dom.storage.enabled
// https://html.spec.whatwg.org/multipage/webstorage.html
// NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
user_pref("dom.storage.enabled", false);
// PREF: Disable leaking network/browser connection information via Javascript
// Network Information API provides general information about the system´s connection type (WiFi, cellular, etc.)
// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
// https://wicg.github.io/netinfo/#privacy-considerations
// https://bugzilla.mozilla.org/show_bug.cgi?id=960426
user_pref("dom.netinfo.enabled", false);
// PREF: Disable network API (Firefox< 32)
// https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
// https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
user_pref("dom.network.enabled", false);
//
user_pref("network.dns.disableIPv6", true);
//
// PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox< 42)
// NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
user_pref("media.peerconnection.enabled", false);
// PREF: Don´t reveal your internal IP when WebRTC is enabled (Firefox>= 42)
// https://wiki.mozilla.org/Media/WebRTC/Privacy
// https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
user_pref("media.peerconnection.ice.default_address_only", true); // Firefox 42-51
user_pref("media.peerconnection.ice.no_host", true); // Firefox>= 52
// PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
// https://wiki.mozilla.org/Media/getUserMedia
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
user_pref("media.navigator.enabled", false);
user_pref("media.navigator.video.enabled", false);
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);
// PREF: Disable battery API (Firefox< 52)
// https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
user_pref("dom.battery.enabled", false);
// PREF: Disable telephony API
// https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref("dom.telephony.enabled", false);
// PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);
// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
user_pref("dom.event.clipboardevents.enabled", false);
// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox>= 41)
// NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
// https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
user_pref("dom.allow_cut_copy", false);
// PREF: Disable speech recognition
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.recognition.enable", false);
// PREF: Disable speech synthesis
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
user_pref("media.webspeech.synth.enabled", false);
// PREF: Disable sensor API
// https://wiki.mozilla.org/Sensor_API
user_pref("device.sensors.enabled", false);
// PREF: Disable pinging URIs specified in HTML<a> ping= attributes
// http://kb.mozillazine.org/Browser.send_pings
user_pref("browser.send_pings", false);
// PREF: When browser pings are enabled, only allow pinging the same host as the origin page
// http://kb.mozillazine.org/Browser.send_pings.require_same_host
user_pref("browser.send_pings.require_same_host", true);
// PREF: Disable IndexedDB (disabled)
// https://developer.mozilla.org/en-US/docs/IndexedDB
// https://en.wikipedia.org/wiki/Indexed_Database_API
// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
// http://forums.mozillazine.org/viewtopic.php?p=13842047
// https://github.com/pyllyukko/user.js/issues/8
// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
user_pref("dom.indexedDB.enabled", false);
// TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"
// PREF: Disable gamepad API to prevent USB device enumeration
// https://www.w3.org/TR/gamepad/
// https://trac.torproject.org/projects/tor/ticket/13023
user_pref("dom.gamepad.enabled", false);
// PREF: Disable virtual reality devices APIs
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref("dom.vr.enabled", false);
// PREF: Disable vibrator API
user_pref("dom.vibrator.enabled", false);
// PREF: Disable resource timing API
// https://www.w3.org/TR/resource-timing/#privacy-security
user_pref("dom.enable_resource_timing", false);
// PREF: Disable Archive API (Firefox< 54)
// https://wiki.mozilla.org/WebAPI/ArchiveAPI
// https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
user_pref("dom.archivereader.enabled", false);
// PREF: Disable webGL
// https://en.wikipedia.org/wiki/WebGL
// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
user_pref("webgl.disabled", true);
// PREF: When webGL is enabled, use the minimum capability mode
user_pref("webgl.min_capability_mode", true);
// PREF: When webGL is enabled, disable webGL extensions
// https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
user_pref("webgl.disable-extensions", true);
// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
// https://trac.torproject.org/projects/tor/ticket/18603
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
// PREF: When webGL is enabled, do not expose information about the graphics driver
// https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
// https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
user_pref("webgl.enable-debug-renderer-info", false);
// somewhat related...
user_pref("pdfjs.enableWebGL", false);
// PREF: Spoof dual-core CPU
// https://trac.torproject.org/projects/tor/ticket/21675
// https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
user_pref("dom.maxHardwareConcurrency", 2);
/******************************************************************************
* SECTION: Misc *
******************************************************************************/
// PREF: Disable face detection
user_pref("camera.control.face_detection.enabled", false);
// ALWAYS SET A SEARCH ENGINE, OTHERWISE CONTEXT MENU BRAKES! (!!!)
//
// PREF: Set the default search engine to DuckDuckGo (disabled)
// https://support.mozilla.org/en-US/questions/948134
user_pref("browser.search.defaultenginename", "Wikipedia (en)");
user_pref("browser.search.order.1", "");
user_pref("keyword.URL", "");
// PREF: Disable GeoIP lookup on your address to set default search engine region
// https://trac.torproject.org/projects/tor/ticket/16254
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");
user_pref("browser.search.geoip.url", "");
// PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
user_pref("intl.accept_languages", "en-US");
user_pref("intl.charset.fallback.override", "UTF-8");
// PREF: Don´t use OS values to determine locale, force using Firefox locale setting
// http://kb.mozillazine.org/Intl.locale.matchOS
user_pref("intl.locale.matchOS", false);
// PREF: Don´t use Mozilla-provided location-specific search engines
user_pref("browser.search.geoSpecificDefaults", false);
// PREF: Do not automatically send selection to clipboard on some Linux platforms
// http://kb.mozillazine.org/Clipboard.autocopy
user_pref("clipboard.autocopy", false);
// PREF: Prevent leaking application locale/date format using JavaScript
// https://bugzilla.mozilla.org/show_bug.cgi?id=867501
// https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
user_pref("javascript.use_us_english_locale", true);
// PREF: Do not submit invalid URIs entered in the address bar to the default search engine
// http://kb.mozillazine.org/Keyword.enabled
user_pref("keyword.enabled", false);
// PREF: Don´t trim HTTP off of URLs in the address bar.
// https://bugzilla.mozilla.org/show_bug.cgi?id=665580
// Big change for Firefox: Mozilla-Browser eliminates part of the URL (if set to true)
// https://www.chip.de/news/Riesen-Aenderung-bei-Firefox-Jetzt-schafft-auch-der-Mozilla-Browser-die-URL-ab_182514886.html
user_pref("browser.urlbar.trimURLs", false);
// PREF: Don´t try to guess domain names when entering an invalid domain name in URL bar
// http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
user_pref("browser.fixup.alternate.enabled", false);
// PREF: When browser.fixup.alternate.enabled is enabled, strip password from ´user:password@...´ URLs
// https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
user_pref("browser.fixup.hide_user_pass", true);
// PREF: Send DNS request through SOCKS when SOCKS proxying is in use
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
//user_pref("NETWORK.PROXY.SOCKS_REMOTE_DNS", false);
// PREF: Don´t monitor OS online/offline connection state
// https://trac.torproject.org/projects/tor/ticket/18945
user_pref("network.manage-offline-status", false);
// PREF: Enforce Mixed Active Content Blocking
// https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
// https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
// https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
user_pref("security.mixed_content.block_active_content", true);
// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
// NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
user_pref("security.mixed_content.block_display_content", false);
// PREF: Disable JAR from opening Unsafe File Types
// http://kb.mozillazine.org/Network.jar.open-unsafe-types
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7
user_pref("network.jar.open-unsafe-types", false);
// CIS 2.7.4 Disable Scripting of Plugins by JavaScript
// http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
user_pref("security.xpconnect.plugin.unrestricted", false);
// PREF: Set File URI Origin Policy
// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
user_pref("security.fileuri.strict_origin_policy", true);
// PREF: Disable Displaying Javascript in History URLs
// http://kb.mozillazine.org/Browser.urlbar.filter.javascript
// CIS 2.3.6
user_pref("browser.urlbar.filter.javascript", true);
// PREF: Disable asm.js
// http://asmjs.org/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
user_pref("javascript.options.asmjs", false);
// PREF: Disable SVG in OpenType fonts
// https://wiki.mozilla.org/SVGOpenTypeFonts
// https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
// PREF: Disable in-content SVG rendering (Firefox>= 53)
// NOTICE: Disabling SVG support breaks many UI elements on many sites
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
user_pref("svg.disabled", false);
// PREF: Disable video stats to reduce fingerprinting threat
// https://bugzilla.mozilla.org/show_bug.cgi?id=654550
// https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
// https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
user_pref("media.video_stats.enabled", false);
// PREF: Don´t reveal build ID
// Value taken from Tor Browser
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
user_pref("general.buildID.override", "20100101");
user_pref("browser.startup.homepage_override.buildID", "20100101");
// PREF: Prevent font fingerprinting
// https://browserleaks.com/fonts
// https://github.com/pyllyukko/user.js/issues/120
// from https://www.instructables.com/id/Improve-ADSL-Broadband-Performance/
user_pref("browser.link.open_newwindow.restriction", 1);
user_pref("webgl.enable-webgl2", false);
user_pref("webgl.disable-wgl", true);
user_pref("browser.sessionhistory.max_entries", 3);
user_pref("media.navigator.video.preferred_codec", 126);
user_pref("media.navigator.video.max_fs", 2560);
user_pref("media.navigator.video.h264.level", 22);
user_pref("media.navigator.video.h264.max_mbps", 6000);
user_pref("media.ffmpeg.low-latency.enabled", true);
// Reduce CPU Utilization
// this few settings can reduce the cpu utilization and speeding up web contents.
user_pref("layout.frame_rate", 20);
user_pref("gfx.direct2d.disabled", false);
user_pref("gfx.direct2d.force-enabled", true);
user_pref("layers.prefer-opengl", true);
// from https://www.privacy-handbuch.de/handbuch_21q.htm
// Information about installed fonts can be read out by Javascript, flash or Java and further on get used
// for individual fingerprinting of the browser.
user_pref("browser.display.use_document_fonts", 0);
user_pref("font.blacklist.underline_offset", "");
user_pref("javascript.options.wasm", false);
user_pref("javascript.options.wasm_baselinejit", false);
//
// from wiki.kairaven.de:
//
user_pref("browser.display.use_document_fonts", 0);
user_pref("font.blacklist.underline_offset","");
user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
user_pref("layout.css.font-loading-api.enabled", false);
user_pref("gfx.downloadable_fonts.disable_cache", true);
user_pref("gfx.font_rendering.graphite.enabled", false);
user_pref("layout.css.prefixes.font-features", false);
user_pref("general.useragent.locale","en-US");
user_pref("intl.accept_languages","en-US");
user_pref("javascript.use_us_english_locale", true);
user_pref("network.http.accept-encoding", "gzip, deflate");
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.enable", false);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk_cache_ssl", false);
user_pref("browser.cache.memory.enable", false);
user_pref("browser.cache.offline.capacity", 0);
user_pref("browser.cache.offline.enable", false);
user_pref("devtools.cache.disabled", true);
user_pref("dom.caches.enabled", false);
user_pref("media.cache_size", 0);
user_pref("browser.disk.free_space_hard_limit", 1);
user_pref("browser.disk.free_space_soft_limit", 1);
user_pref("browser.disk.max_chunks_memory_usage", 1);
user_pref("browser.disk.max_entry_size", 4);
user_pref("browser.disk.max_priority_chunks_memory_usage", 4);
user_pref("browser.disk.metadata_memory_limit", 5);
user_pref("browser.disk.parent_directory", "/tmp");
user_pref("browser.cache.disk.smart_size.firt_run", false);
user_pref("browser.cache.disk.cache_ssl", false);
user_pref("browser.cache.frecency_experiment", 1);
user_pref("browser.cache.memory.max_entery_size", 0);
user_pref("browser.cache.offline.capacity", 0);
user_pref("browser.cache.offline.enable", false);
user_pref("dom.caches.enabled", false);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("gfx.canvas.skiagl.dynamic-cache", false);
user_pref("gfx.downloadable_fonts.disable_cache", true);
user_pref("image.cache.size", 0);
user_pref("media.cache_size", 0);
user_pref("network.buffer.cache.count", 4);
user_pref("network.buffer.cache.size", 512);
user_pref("offline-apps.allow_by_default", false);
user_pref("signon.formlessCapture.enabled", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("brwoser.safebrowsing.provider.mozilla.lists" "");
user_pref("brwoser.safebrowsing.provider.google.lists" "");
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("dom.ipc.plugins.enabled", false);
user_pref("dom.ipc.plugins.enabled.pname.dll/so", false);
user_pref("dom.ipc.plugins.timeoutSecs", -1);
user_pref("media.eme.enabled", false);
user_pref("media.gmp-gmpopenh264.abi","");
user_pref("media.gmp-gmpopenh264.version","");
user_pref("media.gmp.storage.version.observed", 0);
user_pref("media.eme.apiVisible", false);
user_pref("browser.startup.homepage_override.buildID", 0);
user_pref("browser.eme.ui.enabled ", true);
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.tabs.opentabfor.middleclick", true);
user_pref("browser.search.openintab", true);
user_pref("browser.taskbar.previews.enable", true);
user_pref("config.trim_on_minimize", true);
user_pref("font.default.x-western", "serif");
user_pref("font.name.serif.x-western", "serif");
user_pref("font.name.sans-serif.x-western", "sans-serif")
user_pref("font.name.monospace.x-western", "serif")
user_pref("font.default.x-western" "sans-serif");
user_pref("font.language.group", "x-western");
user_pref("middlemouse.paste", true);
user_pref("browser.fixup.alternate.suffix", ".com");
user_pref("network.cookie.lifetime.days", 1);
user_pref("network.dnsCacheExpiration", 9);
user_pref("browser.send_pings", false);
user_pref("network.dns.disableIPv6", true);
user_pref("network.protocol-handler.expose.ftp", false);
user_pref("network.protocol-handler.external.ftp", false);
//
//firecamp.de
//
user_pref("useragentswitcher.1.appname", "Microsoft Internet Explorer");
user_pref("useragentswitcher.1.appversion", "4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
user_pref("useragentswitcher.1.description", "Internet Explorer 6 (Windows XP)");
user_pref("useragentswitcher.1.platform", "Win32");
user_pref("useragentswitcher.1.useragent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
user_pref("useragentswitcher.2.appname", "Netscape");
user_pref("useragentswitcher.2.appversion", "4.8 [de] (Windows NT 5.1; U)");
user_pref("useragentswitcher.2.description", "Netscape 4.8 (Windows XP)");
user_pref("useragentswitcher.2.platform", "Win32");
user_pref("useragentswitcher.2.useragent", "Mozilla/4.8 [de] (Windows NT 5.1; U)");
user_pref("useragentswitcher.3.appname", "Opera");
user_pref("useragentswitcher.3.appversion", "7.54 (Windows NT 5.1; U)");
user_pref("useragentswitcher.3.description", "Opera 7.54 (Windows XP)");
user_pref("useragentswitcher.3.platform", "Win32");
user_pref("useragentswitcher.3.useragent", "Opera/7.54 (Windows NT 5.1; U) [de]");
user_pref("useragentswitcher.menu.hide", false);
user_pref("useragentswitcher.reset.onclose", false);
user_pref("useragentswitcher.user.agents.count", 3);
user_pref("accessibility.typeaheadfind", false);
user_pref("accessibility.typeaheadfind.flashBar", 0);
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.history_expire_days", 1);
user_pref("browser.link.open_external", 2);
user_pref("browser.xul.error_pages.enabled", false);
user_pref("extensions.update.lastUpdateDate", 1099489430);
user_pref("browser.download.dir", "/tmp2");
user_pref("browser.dom.window.dump.enabled", false);
user_pref("browser.offline", false);
user_pref("browser.preferences.lastpanel", 5);
user_pref("browser.tabs.loadInBackground", false);
user_pref("downloadmgr.showWhenStarting", true);
user_pref("javascript.options.parallel.parsing", false);
user_pref("javascript.options.strict", true);
user_pref("javascript.options.native_regexp", true);
user_pref("javascript.options.mem.gc_per_zone", true);
user_pref("javascript.options.mem.gc_refresh_frame_slices_enabled", true);
user_pref("font.internaluseonly.changed", false);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.popups.showBrowserMessage", false);
user_pref("privacy.sanitize.migrateFx3Prefs", true);
user_pref("privacy.sanitize.timeSpan", 0);
user_pref("privacy.firstparty.isolate", true); // ff>=58 once more against Canvas Fingerprinting
user_pref("services.sync.declinedEngines", "");
user_pref("storage.vacuum.last.index", 1);
user_pref("storage.vacuum.last.places.sqlite", 1509303910);
user_pref("network.http.max-connections", 32);
user_pref("browser.cache.disk.parent_directory" "/tmp"); // siehe /etc/fstab
user_pref("browser.download.importedFromSqlite", true); // *
user_pref("extensions.checkCompatibility", false);
user_pref("browser.sessionstore.resume_session_once", false);
user_pref("browser.sessionstore.upgradeBackup.latestBuildID", "0");
user_pref("browser.urlbar.matchBehavior", 2);
user_pref("browser.urlbar.matchOnlyTyped", true);
user_pref("browser.urlbar.maxRichResults", 0);
user_pref("gestures.enable_single_finger_input", false);
//
// https://www.philognosie.net/internet/firefox-einstellungen-aboutconfig-praktische-filter-tipps?page=2
//
user_pref("accessibility.typeahead.flashBar", 0);
user_pref("app.releaseNotesURL", "");
user_pref("app.support.baseURL", "");
user_pref("app.update.enabled", false);
user_pref("app.update.url", "");
user_pref("app.update.url.details", "");
user_pref("app.update.url.manual", "");
user_pref("app.vendorURL", "");
user_pref("browser.allTabs.previews", false);
user_pref("browser.autofocus", false);
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.filesystem_reported", 0);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.disk_cache_ssl", false);
user_pref("browser.cache.memory.enable", false);
user_pref("browser.cache.offline.capacity", 0);
user_pref("browser.cache.offline.enable", false);
user_pref("browser.contentHandlers.types.0.uri", "");
user_pref("browser.ctrlTab.previews", false);
user_pref("browser.dictionaries.download.url", "");
user_pref("browser.display.use_document_fonts", 0);
user_pref("browser.download.dir", /tmp);
user_pref("browser.download.folderList", 2);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.download.panel.shown", true);
user_pref("browser.download.useDownloadDir", true);
user_pref("browser.feedback.url", "");
user_pref("devtools.memory.enabled", false);
user_pref("devtools.errorconsole.enabled", false);
user_pref("devtools.device.url", "");
user_pref("devtools.browserconsole.filter.sharedworkers", false);
user_pref("clipboard.autocopy", false);
user_pref("captivedetect.canonicalURL", "");
user_pref("network.http.keep-alive.timeout", 115);
user_pref("network.http.connection-timeout", 90);
user_pref("network.http:connection-retry-timeout", 250);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("keyword.enabled", false);
user_pref("browser.urlbar.maxRichResults", 0);
user_pref("browser.urlbar.clickSelectsAll", false);
user_pref("browser.backspace_action", 2);
user_pref("general.smoothScroll", true);
user_pref("browser.showQuitWarning", false);
user_pref("Browser.download.saveLinkAsFilenameTimeout", 4000);
user_pref("accessibility.typeaheadfind", true);
user_pref("accessibility.typeaheadfind.flashBar", 0);
user_pref("app.releaseNotesURL", "");
user_pref("app.support.baseURL", "");
user_pref("app.update.backgroundErrors", 1);
user_pref("app.update.backgroundMaxErrors", 1);
user_pref("app.vendorURL", "");
user_pref("breakpad.reportURL", "");
user_pref("browser.allTabs.previews", false);
user_pref("browser.autofocus", false);
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.disk.filesystem_reported", 1);
user_pref("browser.cache.disk.parent_directory", "/tmp");
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("image.cache.size", 0);
user_pref("browser.contentHandlers.types.0.uri", "");
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
user_pref("browser.ctrlTab.previews", false);
user_pref("browser.dictionaries.download.url", "");
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.download.folderList", 2);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.download.panel.shown", false);
user_pref("browser.download.save_converter_index", 0);
user_pref("browser.download.useDownloadDir", true);
user_pref("browser.feedback.url", "");
user_pref("browser.fixup.alternate.enabled", false);
user_pref("browser.formfill.saveHttpsForms", false);
user_pref("browser.fullscreen.animateUp", 0);
user_pref("browser.fullscreen.autohide", false);
user_pref("browser.geolocation.warning.infoURL", "");
user_pref("browser.getdevtools.url", "");
user_pref("browser.history_expire_days", 1);
user_pref("browser.link.open_external", 2);
user_pref("browser.link.open_newwindow", 1);
user_pref("browser.link.open_newwindow.disabled_in_fullscreen", false);
user_pref("browser.link.open_newwindow.restriction", 0);
user_pref("browser.migration.version", 19);
user_pref("browser.mixedcontent.warning.infoURL", "");
user_pref("browser.newtab.choice", 0);
user_pref("browser.newtab.url", "about:blank");
user_pref("browser.newtabpage.columns", 0);
user_pref("browser.newtabpage.enabled", true);
user_pref("browser.newtabpage.rows", 0);
user_pref("browser.newtabpage.storageVersion", 1);
user_pref("browser.offline", false);
user_pref("browser.pagethumbnails.storage_version", 3);
user_pref("browser.places.smartBookmarksVersion", 4);
user_pref("browser.preferences.advanced.selectedTabIndex", 2);
user_pref("browser.preferences.lastpanel", 5);
user_pref("browser.preferences.privacy.selectedTabIndex", 2);
user_pref("browser.privatebrowsing.autostart", true);
user_pref("browser.safebrowsing.blockedURIs.enabled", true);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.geoip.timeout", 1);
user_pref("browser.search.geoip.url", "");
user_pref("browser.search.order.1", "");
user_pref("browser.search.region", "US");
user_pref("browser.search.searchEnginesURL", "");
user_pref("browser.search.selectedEngine", "");
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.search.update", false);
user_pref("browser.search.useDBForOrder", true);
user_pref("browser.selfsupport.enabled", false);
user_pref("browser.selfsupport.url", "");
user_pref("browser.send_pings.max_per_link", 0);
user_pref("browser.sessionhistory.max_entries", 5);
user_pref("browser.sessionhistory.max_total_viewers", -1);
user_pref("browser.sessionstore.privacy level", 2);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.shell.skipDefaultBrowserCheckOnFirstRun", true);
user_pref("browser.slowStartup.averageTime", 0);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.slowstartup.help.url", "");
user_pref("browser.startup.homepage", "about::blank");
user_pref("browser.ustartup.homepage_override.mstone", "ignore");
user_pref("browser.startup.page", 0);
user_pref("browser.syncPromoViewsLeftMap", "{"addons":0,"bookmarks":0}");
user_pref("browser.tabs.closeWindowWithLastTab", false);
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.tabs.loadInBackground", false);
user_pref("browser.taskbar.previews.enable", true);
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.updateURL", "");
user_pref("browser.urlbar.clickSelectsAll", false);
user_pref("browser.urlbar.matchBehavior", 2);
user_pref("browser.urlbar.matchOnlyTyped", true);
user_pref("browser.urlbar.maxRichResults", 0);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.xul.error_pages.enabled", false);
user_pref("browser.zoom.siteSpecific", false);
user_pref("camera.control.face_detection.enabled", false);
user_pref("clipboard.autocopy", false);
user_pref("config.trim_on_minimize", true);
user_pref("device.sensors.enabled", false);
user_pref("devtools.browserconcole.filter.csslog", false);
user_pref("devtools.devedition.promo.url", "");
user_pref("devtools.gcli.jquerySrc", "");
user_pref("devtools.gcli.lodashSrc", "");
user_pref("devtools.gcli.underscoreSrc", "");
user_pref("devtools.telemetry.tools.opened.version", "{}");
user_pref("devtools.toolbox.selectedTool", "inspector");
user_pref("devtools.toolsidebar-height.inspector", 350);
user_pref("devtools.toolsidebar-width.inspector", 350);
user_pref("devtools.webconsole.filter.csslogbrowserconcole.filter.csslog", false);
user_pref("disabletarget.extensions", "zip rar exe tar jar xpi gzip gz ace bin");
user_pref("dom.allow_cut_copy", false);
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
user_pref("dom.enable_performance", false);
user_pref("dom.enable_resource_timing", false);
user_pref("dom.enable_user_timing", false);
user_pref("dom.event.contextmenu.enabled", false);
user_pref("dom.gamepad.enabled", false);
user_pref("dom.idle-observers-api.enabled", false);
user_pref("dom.indexedDB.enabled", false);
user_pref("dom.ipc.plugins.enabled.pname.dll/so", false);
user_pref("dom.ipc.plugins.timeoutSecs", -1);
user_pref("dom.keyboardevent.code.enabled", false);
user_pref("dom.maxHardwareConcurrency", 2);
user_pref("dom.mozApps.signed_apps_installable_from", "");
user_pref("dom.mozInputMethod.enabled", false);
user_pref("dom.mozTCPSocket.enabled", false);
user_pref("dom.network.enabled", false);
user_pref("dom.popup_allowed_events", "change click dblclick mouseup pointerup notificationclick reset submit touchend");
user_pref("dom.popup_maximum", 1);
user_pref("dom.server-events.enabled", false);
user_pref("dom.storage.enabled", false);
user_pref("dom.vibrator.enabled", false);
user_pref("dom.webaudio.enabled", false);
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.workers.enabled", false);
user_pref("downloadmgr.showWhenStarting", true);
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("network.allow-experiments", false);
//
//https://www.thewindowsclub.com/mozilla-firefox-about-config-tweaks
//
user_pref("browser.tabs.insertRelatedAfterCurrent", true);
user_pref("browser.ctrlTab.previews", false);
user_pref("network.prefetch-next", false);
user_pref("browser.tabs.animate", true);
user_pref("browser.urlbar.clickSelectsAll", false);
user_pref("browser.tabs.animate", true);
//
// https://www.szenebox.org/15-gefaellt-mir/6709-firefox-richtig-einstellen/
//
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);
user_pref("falsedatareporting.policy.dataSubmissionEnabled", false);
user_pref("browser.selfsupport.url", "");
//
user_pref("services.sync.engine.tabs", false);
user_pref("services.sync.engineStatusChanged.addons", true);
user_pref("services.sync.engineStatusChanged.bookmarks", true);
user_pref("services.sync.engineStatusChanged.history", true);
user_pref("services.sync.engineStatusChanged.passwords", true);
user_pref("services.sync.engineStatusChanged.prefs", true);
user_pref("services.sync.engineStatusChanged.tabs", true);
user_pref("services.sync.fxa.privacyURL", "");
user_pref("services.sync.fxa.termsURL", "");
user_pref("services.sync.jpake.serverURL", "");
user_pref("services.sync.migrated", true);
user_pref("services.sync.nextSync", 0);
user_pref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", false);
user_pref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", false);
user_pref("services.sync.prefs.sync.browser.search.update", false);
user_pref("services.sync.prefs.sync.browser.sessionstore.restore_on_demand", false);
user_pref("services.sync.prefs.sync.browser.urlbar.autocomplete.enabled", false);
user_pref("services.sync.prefs.sync.browser.urlbar.suggest.searches", false);
user_pref("services.sync.prefs.sync.network.cookie.thirdparty.sessionOnly", false);
user_pref("services.sync.prefs.sync.spellchecker.dictionary", false);
user_pref("services.sync.privacyURL", "");
user_pref("services.sync.serverURL", "");
user_pref("services.sync.tabs.lastSync", 0);
user_pref("services.sync.tabs.lastSyncLocal", 0);
user_pref("services.sync.addons.trustedSourceHostnames", "");
user_pref("services.sync.clients.lastSync", 0);
user_pref("services.sync.clients.lastSyncLocal", 0);
user_pref("services.sync.declinedEngines", "");
user_pref("services.sync.engine.addons", false);
user_pref("services.sync.engine.bookmarks", false);
user_pref("services.sync.engine.history", false);
user_pref("services.sync.engine.passwords", false);
user_pref("services.sync.engine.prefs", false);
user_pref("services.sync.engine.tabs", false);
//
//https://www.maketecheasier.com/28-coolest-firefox-aboutconfig-tricks/
//
user_pref("browser.sessionhistory.max_total_viewers", 0);
user_pref("network.http.max-connections-per-server", 8);
user_pref("network.http.proxy.pipelining", false); // eventl. true
user_pref("browser.urlbar.clickSelectsAll", false);
user_pref("zoom.maxPercent", 300);
user_pref("zoom.minPercent", 30);
user_pref("security.dialog_enable_delay", 0);
user_pref("view_source.editor.external", false);
user_pref("view_source.editor.path", "");
user_pref("Browser.download.saveLinkAsFilenameTimeout", 4000);
user_pref("browser.fullscreen.autohide", false);
user_pref("extensions.getAddons.maxResults", 15);
user_pref("media.getusermedia.screensharing.allowed_domains", ""); // www.ciscoparks.com, ...
CHIP, https://www.chip.de/news/Firefox-Diese-Features-kennen-Sie-noch-nicht_93266205.html
user_pref("browser.tabs.loadBookmarksInTabs", true);
user_pref("findbar.modalHighlight", true);
user_pref("indbar.highlightAll", true);
user_pref("privacy.resistFingerprinting", true);
//
// PREF: Enable only whitelisted URL protocol handlers
// PREF: Enable only whitelisted URL protocol handlers
// http://kb.mozillazine.org/Network.protocol-handler.external-default
// http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
// http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
// https://news.ycombinator.com/item?id=13047883
// https://bugzilla.mozilla.org/show_bug.cgi?id=167475
// https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
// NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
// TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7) that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
// TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
// If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to:
// * true, if the protocol should be handled by an external application
// * false, if the protocol should be handled internally by Firefox
user_pref("network.protocol-handler.warn-external-default", true);
user_pref("network.protocol-handler.external.http", false);
user_pref("network.protocol-handler.external.https", false);
user_pref("network.protocol-handler.external.javascript", false);
user_pref("network.protocol-handler.external.moz-extension", false);
user_pref("network.protocol-handler.external.ftp", true);
user_pref("network.protocol-handler.external.file", false);
user_pref("network.protocol-handler.external.about", false);
user_pref("network.protocol-handler.external.chrome", false);
user_pref("network.protocol-handler.external.blob", false);
user_pref("network.protocol-handler.external.data", false);
user_pref("network.protocol-handler.expose-all", false);
user_pref("network.protocol-handler.expose.http", false);
user_pref("network.protocol-handler.expose.https", false);
user_pref("network.protocol-handler.expose.javascript", false);
user_pref("network.protocol-handler.expose.moz-extension", false);
user_pref("network.protocol-handler.expose.ftp", false);
user_pref("network.protocol-handler.expose.file", false);
user_pref("network.protocol-handler.expose.about", false);
user_pref("network.protocol-handler.expose.chrome", false);
user_pref("network.protocol-handler.expose.blob", false);
user_pref("network.protocol-handler.expose.data", false);
user_pref("browser.sessionhistory.max_entries", 5);
user_pref("dom.ipc.plugins.processLaunchTimeoutSecs", 45);
user_pref("network.http.pipelining.ssl", false);
user_pref("network.negotiate-auth.using-native-gsslib", true);
user_pref("network.predictor.enable-hover-on-ssl", true);
user_pref("security.ssl.enable_alpn", true);
user_pref("security.ssl.enable_false_start", true);
user_pref("security.ssl.enable_npn", true);
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.false_start.require-npn", false);
user_pref("security.ssl.require_safe_negotiation", true); // https://wiki.gentoo.org/wiki/Firefox
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", false); //https://wiki.gentoo.org/wiki/Firefox
user_pref("security.ssl.enable_alpn", true);
user_pref("webchannel.allowObject.urlWhitelist" "");
user_pref("clipboard.plainTextOnly", true);
user_pref("devtools.remote.wifi.scan", false);
user_pref("toolkit.cosmeticAnimations.enabled", false);
user_pref("dom.battery.enabled", false);
user_pref("dom.disable_window_*", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.gamepad.*.enabled", false);
user_pref("dom.mapped_arraybuffer.enabled", false);
user_pref("offline-apps.quota.warn", false);
user_pref("dom.w3c_touch_events.enabled", false);
user_pref("dom.webkitBlink.filesystem.enabled", false);
/******************************************************************************
* SECTION: Extensions / plugins *
******************************************************************************/
// PREF: Ensure you have a security delay when installing add-ons (milliseconds)
// http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
// http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
user_pref("security.dialog_enable_delay", 1000);
// PREF: Require signatures
// https://wiki.mozilla.org/Addons/Extension_Signing; needed for extensions like FireGloves etc.
user_pref("xpinstall.signatures.required", false);
// PREF: Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref("extensions.getAddons.cache.enabled", false);
// PREF: Opt-out of themes (Persona) updates
// https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
user_pref("lightweightThemes.update.enabled", false);
// PREF: Disable Flash Player NPAPI plugin
// http://kb.mozillazine.org/Flash_plugin
user_pref("plugin.state.flash", 0);
// PREF: Disable Java NPAPI plugin
user_pref("plugin.state.java", 0);
// PREF: Disable sending Flash Player crash reports
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
// PREF: When Flash crash reports are enabled, don´t send the visited URL in the crash report
user_pref("dom.ipc.plugins.reportCrashURL", false);
// PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
// https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
// https://github.com/mozilla-services/shavar-plugin-blocklist
user_pref("browser.safebrowsing.blockedURIs.enabled", true);
// PREF: Disable Shumway (Mozilla Flash renderer)
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway
user_pref("shumway.disabled", true);
// PREF: Disable Gnome Shell Integration NPAPI plugin
user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
// PREF: Disable the bundled OpenH264 video codec (disabled)
// http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
user_pref("media.gmp-provider.enabled", false);
// PREF: Enable plugins click-to-play
// https://wiki.mozilla.org/Firefox/Click_To_Play
// https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
user_pref("plugins.click_to_play", false);
// PREF: Updates addons automatically
// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
user_pref("extensions.update.enabled", false);
// PREF: Enable add-on and certificate blocklists (OneCRL) from Mozilla
// https://wiki.mozilla.org/Blocklisting
// https://blocked.cdn.mozilla.net/
// http://kb.mozillazine.org/Extensions.blocklist.enabled
// http://kb.mozillazine.org/Extensions.blocklist.url
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
// Updated at interval defined in extensions.blocklist.interval (default: 86400)
user_pref("extensions.blocklist.enabled", true);
user_pref("services.blocklist.update_enabled", true);
// PREF: Decrease system information leakage to Mozilla blocklist update servers
// https://trac.torproject.org/projects/tor/ticket/16931
user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
/******************************************************************************
* SECTION: Firefox (anti-)features / components * *
******************************************************************************/
// PREF: Disable WebIDE
// https://trac.torproject.org/projects/tor/ticket/16222
// https://developer.mozilla.org/docs/Tools/WebIDE
user_pref("devtools.webide.enabled", false);
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
// PREF: Disable remote debugging
// https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
// https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.chrome.enabled", false);
user_pref("devtools.debugger.force-local", true);
// PREF: Disable Mozilla telemetry/experiments
// https://wiki.mozilla.org/Platform/Features/Telemetry
// https://wiki.mozilla.org/Privacy/Reviews/Telemetry
// https://wiki.mozilla.org/Telemetry
// https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
// https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
// https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
// https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
// https://wiki.mozilla.org/Telemetry/Experiments
user_pref("toolkit.telemetry.enabled", false);
user_pref("toolkit.telemetry.unified", false);
user_pref("experiments.supported", false);
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
// PREF: Disallow Necko to do A/B testing
// https://trac.torproject.org/projects/tor/ticket/13170
user_pref("network.allow-experiments", false);
// PREF: Disable sending Firefox crash reports to Mozilla servers
// https://wiki.mozilla.org/Breakpad
// http://kb.mozillazine.org/Breakpad
// https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
// https://bugzilla.mozilla.org/show_bug.cgi?id=411490
// A list of submitted crash reports can be found at about:crashes
user_pref("breakpad.reportURL", "");
// PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don´t nag user about unsent crash reports
// https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
// PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface)
// https://wiki.mozilla.org/FlyWeb
// https://wiki.mozilla.org/FlyWeb/Security_scenarios
// https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
// http://www.ghacks.net/2016/07/26/firefox-flyweb
user_pref("dom.flyweb.enabled", false);
// PREF: Disable the UITour backend
// https://trac.torproject.org/projects/tor/ticket/19047#comment:3
user_pref("browser.uitour.enabled", false);
// PREF: Enable Firefox Tracking Protection
// https://wiki.mozilla.org/Security/Tracking_protection
// https://support.mozilla.org/en-US/kb/tracking-protection-firefox
// https://support.mozilla.org/en-US/kb/tracking-protection-pbm
// https://kontaxis.github.io/trackingprotectionfirefox/
// https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.pbmode.enabled", true);
// PREF: Enable contextual identity Containers feature (Firefox>= 52)
// NOTICE: Containers are not available in Private Browsing mode
// https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
user_pref("privacy.userContext.enabled", true);
// PREF: Enable hardening against various fingerprinting vectors (Tor Uplift project)
// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
user_pref("privacy.resistFingerprinting", true);
// PREF: Disable the built-in PDF viewer
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
// https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
user_pref("pdfjs.disabled", true);
// PREF: Disable collection/sending of the health report (healthreport.sqlite*)
// https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);
// PREF: Disable Heartbeat (Mozilla user rating telemetry)
// https://wiki.mozilla.org/Advocacy/heartbeat
// https://trac.torproject.org/projects/tor/ticket/19047
user_pref("browser.selfsupport.url", "");
// PREF: Disable Firefox Hello (disabled) (Firefox< 49)
// https://wiki.mozilla.org/Loop
// https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
// NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
user_pref("loop.enabled", false);
// PREF: Disable Firefox Hello metrics collection
// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
user_pref("loop.logDomains", false);
// PREF: Enable Auto Update (disabled)
// NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
// CIS 2.1.1
user_pref("app.update.auto", false);
// PREF: Enforce checking for Firefox updates
// http://kb.mozillazine.org/App.update.enabled
// NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
user_pref("app.update.enabled", false);
// PREF: Enable blocking reported web forgeries
// https://wiki.mozilla.org/Security/Safe_Browsing
// http://kb.mozillazine.org/Safe_browsing
// https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
// http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
// CIS 2.3.4
user_pref("browser.safebrowsing.enabled", false); // Firefox< 50
user_pref("browser.safebrowsing.phishing.enabled", false); // firefox>= 50
// PREF: Enable blocking reported attack sites
// http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
// CIS 2.3.5
user_pref("browser.safebrowsing.malware.enabled", false);
// PREF: Disable querying Google Application Reputation database for downloaded binary files
// https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
// https://wiki.mozilla.org/Security/Application_Reputation
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
// PREF: Disable Pocket
// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
// https://github.com/pyllyukko/user.js/issues/143
user_pref("browser.pocket.enabled", false);
user_pref("extensions.pocket.enabled", false);
// PREF: Disable SHIELD
// https://support.mozilla.org/en-US/kb/shield
// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
user_pref("extensions.shield-recipe-client.enabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
// PREF: Disable "Recommended by Pocket" in Firefox Quantum
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
/******************************************************************************
* SECTION: Automatic connections *
******************************************************************************/
// PREF: Disable prefetching of<link rel="next"> URLs
// http://kb.mozillazine.org/Network.prefetch-next
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
user_pref("network.prefetch-next", false);
// PREF: Disable DNS prefetching
// http://kb.mozillazine.org/Network.dns.disablePrefetch
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
user_pref("network.dns.disablePrefetch", false);
user_pref("network.dns.disablePrefetchFromHTTPS", false);
// PREF: Disable the predictive service (Necko)
// https://wiki.mozilla.org/Privacy/Reviews/Necko
user_pref("network.predictor.enabled", false);
// PREF: Reject .onion hostnames before passing the to DNS
// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
// RFC 7686
user_pref("network.dns.blockDotOnion", true);
// PREF: Disable search suggestions in the search bar
// http://kb.mozillazine.org/Browser.search.suggest.enabled
user_pref("browser.search.suggest.enabled", false);
// PREF: Disable "Show search suggestions in location bar results"
user_pref("browser.urlbar.suggest.searches", false);
// PREF: When using the location bar, don´t suggest URLs from browsing history
user_pref("browser.urlbar.suggest.history", false);
// PREF: Disable SSDP
// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
user_pref("browser.casting.enabled", false);
// PREF: Disable automatic downloading of OpenH264 codec
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
// https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");
// PREF: Disable speculative pre-connections
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
user_pref("network.http.speculative-parallel-limit", 0);
// PREF: Disable downloading homepage snippets/messages from Mozilla
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
user_pref("browser.aboutHomeSnippets.updateUrl", "");
// PREF: Never check updates for search engines
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
user_pref("browser.search.update", false);
// PREF: Disable automatic captive portal detection (Firefox>= 52.0)
// https://support.mozilla.org/en-US/questions/1157121
user_pref("network.captive-portal-service.enabled", false);
/******************************************************************************
* SECTION: HTTP *
******************************************************************************/
// PREF: Disallow NTLMv1
// https://bugzilla.mozilla.org/show_bug.cgi?id=828183
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
// it is still allowed through HTTPS. uncomment the following to disable it completely.
//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
// PREF: Enable CSP 1.1 script-nonce directive support
// https://bugzilla.mozilla.org/show_bug.cgi?id=855326
user_pref("security.csp.experimentalEnabled", true);
// PREF: Enable Content Security Policy (CSP)
// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
user_pref("security.csp.enable", true);
// PREF: Enable Subresource Integrity
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
// https://wiki.mozilla.org/Security/Subresource_Integrity
user_pref("security.sri.enable", true);
// PREF: DNT HTTP header (disabled)
// https://www.mozilla.org/en-US/firefox/dnt/
// https://en.wikipedia.org/wiki/Do_not_track_header
// https://dnt-dashboard.mozilla.org
// https://github.com/pyllyukko/user.js/issues/11
// NOTICE: Do No Track must be enabled manually
user_pref("privacy.donottrackheader.enabled", true);
// PREF: Send a referer header with the target URI as the source
// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
// https://github.com/pyllyukko/user.js/issues/227
// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref("network.http.referer.spoofSource", true);
// PREF: Don´t send referer headers when following links across different domains (disabled)
// https://github.com/pyllyukko/user.js/issues/227
user_pref("network.http.referer.XOriginPolicy", 2);
// PREF: Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
// CIS 2.5.1
// set 1: cookies from third parties only, 2: no cookies (2 recommended, if extension cookie-controller is installed)
user_pref("network.cookie.cookieBehavior", 2);
// PREF: Make sure that third-party cookies (if enabled) never persist beyond the session.
// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
// http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
// https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
// user_pref("network.cookie.thirdparty.sessionOnly", false);
// PREF: Spoof User-agent (disabled)
user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0");
user_pref("general.appname.override", "Netscape");
user_pref("general.appversion.override", "5.0 (Windows)");
user_pref("general.platform.override", "Win64");
user_pref("general.oscpu.override", "Windows NT 6.1");
/*******************************************************************************
* SECTION: Caching *
******************************************************************************/
// PREF: Permanently enable private browsing mode
// https://support.mozilla.org/en-US/kb/Private-Browsing
// https://wiki.mozilla.org/PrivateBrowsing
// NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
// NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
// NOTICE: Private browsing breaks Kerberos authentication
// NOTICE: Disables "Containers" functionality (see below)
// NOTICE: "Always use private browsing mode" (browser.privatebrowsing.autostart) disables the possibility to use password manager: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved#w_private-browsing
user_pref("browser.privatebrowsing.autostart", true);
// PREF: Do not download URLs for the offline cache
// http://kb.mozillazine.org/Browser.cache.offline.enable
user_pref("browser.cache.offline.enable", false);
// PREF: Clear history when Firefox closes
// https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
// NOTICE: Installing user.js will remove your browsing history, caches and local storage.
// NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
// NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.sessions", true);
user_pref("privacy.clearOnShutdown.openWindows", false); // must be set to false, in order to prevent from two loading window instances on startup
// PREF: Set time range to "Everything" as default in "Clear Recent History"
user_pref("privacy.sanitize.timeSpan", 0);
// PREF: Clear everything but "Site Preferences" in "Clear Recent History"
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.passwords", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.sessions", true);
// PREF: Don´t remember browsing history
user_pref("places.history.enabled", false);
// PREF: Disable disk cache
// http://kb.mozillazine.org/Browser.cache.disk.enable
user_pref("browser.cache.disk.enable", false);
// PREF: Disable memory cache (disabled)
// http://kb.mozillazine.org/Browser.cache.memory.enable
user_pref("browser.cache.memory.enable", false);
// PREF: Disable Caching of SSL Pages
// CIS Version 1.2.0 October 21st, 2011 2.5.8
// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref("browser.cache.disk_cache_ssl", false);
// PREF: Disable download history
// CIS Version 1.2.0 October 21st, 2011 2.5.5
user_pref("browser.download.manager.retention", 0);
// PREF: Disable password manager
// CIS Version 1.2.0 October 21st, 2011 2.5.2
user_pref("signon.rememberSignons", false);
// PREF: Disable form autofill, don´t save information entered in web page forms and the Search Bar
user_pref("browser.formfill.enable", false);
// PREF: Cookies expires at the end of the session (when the browser closes)
// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
user_pref("network.cookie.lifetimePolicy", 2);
// PREF: Require manual intervention to autofill known username/passwords sign-in forms
// http://kb.mozillazine.org/Signon.autofillForms
// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
user_pref("signon.autofillForms", false);
// PREF: Disable formless login capture
// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
user_pref("signon.formlessCapture.enabled", false);
// PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
user_pref("signon.autofillForms.http", false);
// PREF: Show in-content login form warning UI for insecure login fields
// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
user_pref("security.insecure_field_warning.contextual.enabled", true);
// PREF: Disable the password manager for pages with autocomplete=off (disabled)
// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
// OWASP ASVS V9.1
// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
user_pref("signon.storeWhenAutocompleteOff", false);
// PREF: Delete Search and Form History
// CIS Version 1.2.0 October 21st, 2011 2.5.6
user_pref("browser.formfill.expire_days", 0);
// PREF: Clear SSL Form Session Data
// http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
// Store extra session data for unencrypted (non-HTTPS) sites only.
// CIS Version 1.2.0 October 21st, 2011 2.5.7
// NOTE: CIS says 1, we use 2
user_pref("browser.sessionstore.privacy_level", 2);
// PREF: Delete temporary files on exit
// https://bugzilla.mozilla.org/show_bug.cgi?id=238789
user_pref("browser.helperApps.deleteTempFileOnExit", true);
// PREF: Do not create screenshots of visited pages (relates to the "new tab page" feature)
// https://support.mozilla.org/en-US/questions/973320
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
user_pref("browser.pagethumbnails.capturing_disabled", true);
// PREF: Don´t fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
// NOTICE: .URL shortcut files will be created with a generic icon
// Favicons are stored as .ico files in DOLLARSIGNprofile_dirshortcutCache
user_pref("browser.shell.shortcutFavicons", false);
// PREF: Disable bookmarks backups (default: 15)
// http://kb.mozillazine.org/Browser.bookmarks.max_backups
user_pref("browser.bookmarks.max_backups", 0);
/*******************************************************************************
* SECTION: UI related *
*******************************************************************************/
// PREF: Enable insecure password warnings (login forms in non-HTTPS pages)
// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
user_pref("security.insecure_password.ui.enabled", true);
// PREF: Disable right-click menu manipulation via JavaScript (disabled)
user_pref("dom.event.contextmenu.enabled", false);
// PREF: Disable "Are you sure you want to leave this page?" popups on page close
// https://support.mozilla.org/en-US/questions/1043508
// Does not prevent JS leaks of the page close event.
// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
user_pref("dom.disable_beforeunload", true);
// PREF: Disable Downloading on Desktop
// CIS 2.3.2
user_pref("browser.download.folderList", 2);
// PREF: Always ask the user where to download
// https://developer.mozilla.org/en/Download_Manager_preferences (obsolete)
user_pref("browser.download.useDownloadDir", false);
// PREF: Disable the "new tab page" feature and show a blank tab instead
// https://wiki.mozilla.org/Privacy/Reviews/New_Tab
// https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.url", "about:blank");
// PREF: Disable Activity Stream
// https://wiki.mozilla.org/Firefox/Activity_Stream
user_pref("browser.newtabpage.activity-stream.enabled", false);
// PREF: Disable new tab tile ads &preload
// http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
// http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
// https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
// TODO: deprecated? not in DXR, some dead links
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "data:text/plain,{}");
// PREF: Enable Auto Notification of Outdated Plugins (Firefox< 50)
// https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
// CIS Version 1.2.0 October 21st, 2011 2.1.2
// https://hg.mozilla.org/mozilla-central/rev/304560
user_pref("plugins.update.notifyUser", false);
// PREF: Force Punycode for Internationalized Domain Names
// http://kb.mozillazine.org/Network.IDN_show_punycode
// https://www.xudongz.com/blog/2017/idn-phishing/
// https://wiki.mozilla.org/IDN_Display_Algorithm
// https://en.wikipedia.org/wiki/IDN_homograph_attack
// https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
user_pref("network.IDN_show_punycode", true);
// PREF: Disable inline autocomplete in URL bar
// http://kb.mozillazine.org/Inline_autocomplete
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);
// PREF: Disable CSS :visited selectors
// https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
// https://dbaron.org/mozilla/visited-privacy
user_pref("layout.css.visited_links_enabled", false);
// PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
user_pref("browser.urlbar.autocomplete.enabled", false);
// PREF: Do not check if Firefox is the default browser
user_pref("browser.shell.checkDefaultBrowser", false);
// PREF: When password manager is enabled, lock the password storage periodically
// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
user_pref("security.ask_for_password", 2);
// PREF: Lock the password storage every 1 minutes (default: 30)
user_pref("security.password_lifetime", 1);
// PREF: Display a notification bar when websites offer data for offline use
// http://kb.mozillazine.org/Browser.offline-apps.notify
user_pref("browser.offline-apps.notify", true);
/******************************************************************************
* SECTION: Cryptography *
******************************************************************************/
// PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
user_pref("network.stricttransportsecurity.preloadlist", true);
// PREF: Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
// https://www.imperialviolet.org/2014/04/19/revchecking.html
// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
// https://wiki.mozilla.org/CA:RevocationPlan
// https://wiki.mozilla.org/CA:ImprovingRevocation
// https://wiki.mozilla.org/CA:OCSP-HardFail
// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
// NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
// NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
// NOTICE: OCSP adds latency (performance)
// NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
// CIS Version 1.2.0 October 21st, 2011 2.2.4
user_pref("security.OCSP.enabled", true);
// PREF: Enable OCSP Stapling support
// https://en.wikipedia.org/wiki/OCSP_stapling
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
// https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
user_pref("security.ssl.enable_ocsp_stapling", true);
// PREF: Enable OCSP Must-Staple support (Firefox>= 45)
// https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
// https://www.entrust.com/ocsp-must-staple/
// https://github.com/schomery/privacy-settings/issues/40
// NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
user_pref("security.ssl.enable_ocsp_must_staple", false);
// PREF: Require a valid OCSP response for OCSP enabled certificates
// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
// NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
// NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
user_pref("security.OCSP.require", false);
//
// PREF: Disable TLS Session Tickets
// https://www.blackhat.com/us-13/briefings.html#NextGen
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
// https://bugzilla.mozilla.org/show_bug.cgi?id=917049
// https://bugzilla.mozilla.org/show_bug.cgi?id=967977
user_pref("security.ssl.disable_session_identifiers", false);
//
//Software::Browser
// Firefox 74 schaltet TLS 1.0 und 1.1 ab
// Firefox 74 setzt die bereits 2018 beschlossene Abschaltung von TLS 1.0 und 1.1 in die Tat um und ergreift Maßnahmen gegen WebRTC-Leaking.
// https://www.pro-linux.de/news/1/27860/firefox-74-schaltet-tls-10-und-11-ab.html
// PREF: Only allow TLS 1.[0-3]
// http://kb.mozillazine.org/Security.tls.version.*
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4);
// user_pref("security.tls.version.enable-deprecated", false);
// PREF: Disable insecure TLS version fallback
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
user_pref("security.tls.version.fallback-limit", 3);
// PREF: Enfore Public Key Pinning
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
// "2. Strict. Pinning is always enforced."
user_pref("security.cert_pinning.enforcement_level", 2);
// PREF: Disallow SHA-1
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
// https://shattered.io/
user_pref("security.pki.sha1_enforcement_level", 1);
// PREF: Warn the user when server doesn´t support RFC 5746 ("safe" renegotiation)
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
// PREF: Disallow connection to servers not supporting safe renegotiation (disabled)
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
// TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled
user_pref("security.ssl.require_safe_negotiation", false);
// PREF: Disable automatic reporting of TLS connection errors
// https://support.mozilla.org/en-US/kb/certificate-pinning-reports
// we could also disable security.ssl.errorReporting.enabled, but I think it´s
// good to leave the option to report potentially malicious sites if the user
// chooses to do so.
// you can test this at https://pinningtest.appspot.com/
user_pref("security.ssl.errorReporting.automatic", false);
// PREF: Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog
// http://kb.mozillazine.org/Browser.ssl_override_behavior
// https://github.com/pyllyukko/user.js/issues/210
user_pref("browser.ssl_override_behavior", 1);
/******************************************************************************
* SECTION: Cipher suites *
******************************************************************************/
// PREF: Disable null ciphers
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
// PREF: Disable SEED cipher
// https://en.wikipedia.org/wiki/SEED
user_pref("security.ssl3.rsa_seed_sha", false);
// PREF: Disable 40/56/128-bit ciphers
// 40-bit ciphers
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);
// 56-bit ciphers
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
// 128-bit ciphers
user_pref("security.ssl3.rsa_camellia_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
// PREF: Disable RC4
// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
// https://rc4.io/
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
user_pref("security.tls.unrestricted_rc4_fallback", false);
// PREF: Disable 3DES (effective key size is < 128)
// https://en.wikipedia.org/wiki/3des#Security
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
// http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
// PREF: Disable ciphers with ECDH (non-ephemeral)
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
// PREF: Disable 256 bits ciphers without PFS
user_pref("security.ssl3.rsa_camellia_256_sha", false);
// PREF: Enable ciphers with ECDHE and key size> 128bits
user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014
user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a
// PREF: Enable GCM ciphers (TLSv1.2 only)
// https://en.wikipedia.org/wiki/Galois/Counter_Mode
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f
// PREF: Enable ChaCha20 and Poly1305 (Firefox>= 47)
// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
// https://tools.ietf.org/html/rfc7905
// https://bugzilla.mozilla.org/show_bug.cgi?id=917571
// https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
// https://cr.yp.to/chacha.html
user_pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
user_pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true);
// PREF: Disable ciphers susceptible to the logjam attack
// https://weakdh.org/
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
// PREF: Disable ciphers with DSA (max 1024 bits)
user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
// PREF: Fallbacks due compatibility reasons
user_pref("security.ssl3.rsa_aes_256_sha", true); // 0x35
user_pref("security.ssl3.rsa_aes_128_sha", true); // 0x2f
//
// Firefox-hardening, https://forum.mxlinux.org/viewtopic.php?t=51318
//
user_pref("app.update.lastUpdateTime.experiments-update-timer",0);
user_pref("browser.backspace_action", 0);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.frecency_experiment", -1);
user_pref("browser.cache.use_new_backend_temp", false);
user_pref("browser.contentHandlers.types.0.title", "");
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.id", "");
user_pref("browser.search.countryCode", "");
user_pref("browser.search.region", "");
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", false);
user_pref("layers.acceleration.force-enabled", true);
user_pref("intl.accept_languages", "en-US,en;q=0.5");
user_pref("media.decoder-doctor.notifications-allowed", "");
user_pref("extensions.blocklist.enabled", false);
user_pref("media.peerconnection.identity.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);
user_pref("media.peerconnection.simulcast", false);
user_pref("media.peerconnection.turn.disable", true);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref"media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.video.vp9_enabled", false);
user_pref("network.captive-portal-service.enabled", false);
user_pref("places.frecency.unvisitedBookmarkBonus", 0);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("services.sync.telemetry.submissionInterval", 999999999);
user_pref("startup.homepage_override_url", "");
user_pref("startup.homepage_welcome_url", "");
user_pref("urlclassifier.malwareTable", "");
user_pref("urlclassifier.phishTable", "");
//
//https://github.com/pyllyukko/user.js#download
//
// end of user.js
On certificate errros do the following: enter the error causing url into the second field of noscript for https under exceptions, where each http might get blocked by a set * (star) within the first field. If this does not help, formulate error-exceptions with Firefox, by accepting corrputed certificates manually. Enter a remote-host-IP into /etc/resolv.conf: nameserver remote-dns-ip too.
// ======================================================================================
// Mozilla User Preferences (prefs.js)
// ======================================================================================
// Mozilla User Preferences (prefs.js)
// Pale Moone: /home/surfuser/.moon*/pale*/your-profile-directory/prefs.js
# Mozilla User Preferences
/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
*/
user_pref("accessibility.AOM.enabled", true);
user_pref("accessibility.accesskeycausesactivation", false);
user_pref("accessibility.ipc_architecture.enabled", false);
user_pref("accessibility.typeaheadfind.enablesound", false);
user_pref("accessibility.typeaheadfind.flashBar", 0);
user_pref("app.releaseNotesURL", "");
user_pref("app.support.baseURL", "");
user_pref("app.update.channel", "none");
user_pref("app.update.download.backgroundInterval", 0);
user_pref("app.update.enabled", false);
user_pref("app.update.idletime", -1);
user_pref("app.update.interval", -1);
user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0);
user_pref("app.update.lastUpdateTime.background-update-timer", 0);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);
user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);
user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1599840640);
user_pref("app.update.lastUpdateTime.user-agent-updates-timer", 1599388459);
user_pref("app.update.timerMinimumDelay", -1);
user_pref("app.update.url", "");
user_pref("app.update.url.details", "");
user_pref("app.update.url.manual", "");
user_pref("app.vendorURL", "");
user_pref("apz.allow_checkerboarding", false);
user_pref("beacon.enabled", false);
user_pref("browser.addon-watch.ignore", "");
user_pref("browser.allTabs.previews", false);
user_pref("browser.autofocus", false);
user_pref("browser.backspace_action", 0);
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.check_doc_frequency", 0);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.enable", false);
user_pref("browser.cache.disk.filesystem_reported", 0);
user_pref("browser.cache.disk.max_entry_size", 0);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.disk_cache_ssl", false);
user_pref("browser.cache.memory.enable", false);
user_pref("browser.cache.offline.capacity", 0);
user_pref("browser.cache.offline.enable", false);
user_pref("browser.contentHandlers.types.0.title", "");
user_pref("browser.contentHandlers.types.0.uri", "");
user_pref("browser.ctrlTab.previews", false);
user_pref("browser.dictionaries.download.url", "");
user_pref("browser.display.use_document_fonts", 0);
user_pref("browser.download.dir", "/tmp2");
user_pref("browser.download.folderList", 2);
user_pref("browser.download.forbid_open_with", true);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.download.manager.addToRecentDocs", false);
user_pref("browser.download.panel.shown", true);
user_pref("browser.download.useDownloadDir", true);
user_pref("browser.feedback.url", "");
user_pref("browser.fixup.alternate.enabled", false);
user_pref("browser.fixup.alternate.suffix", ".de");
user_pref("browser.formfill.enable", false);
user_pref("browser.formfill.expire_days", 1);
user_pref("browser.formfill.saveHttpsForms", false);
user_pref("browser.fullscreen.animateUp", 0);
user_pref("browser.fullscreen.autohide", false);
user_pref("browser.geolocation.warning.infoURL", "");
user_pref("browser.getdevtools.url", "");
user_pref("browser.link.open_newwindow", 1);
user_pref("browser.link.open_newwindow.restriction", 0);
user_pref("browser.migration.version", 24);
user_pref("browser.mixedcontent.warning.infoURL", "");
user_pref("browser.newtabpage.columns", 0);
user_pref("browser.newtabpage.rows", 0);
user_pref("browser.newtabpage.storageVersion", 1);
user_pref("browser.offline-apps.notify", false);
user_pref("browser.pagethumbnails.storage_version", 3);
user_pref("browser.places.smartBookmarksVersion", 4);
user_pref("browser.preferences.advanced.selectedTabIndex", 1);
user_pref("browser.preferences.privacy.selectedTabIndex", 0);
user_pref("browser.privatebrowsing.autostart", true);
user_pref("browser.push.warning.infoURL", "");
user_pref("browser.search.defaultenginename", "Wikipedia (en)");
user_pref("browser.search.geoip.timeout", 1);
user_pref("browser.search.geoip.url", "");
user_pref("browser.search.official", false);
user_pref("browser.search.order.1", "");
user_pref("browser.search.order.2", "");
user_pref("browser.search.order.3", "");
user_pref("browser.search.order.4", "");
user_pref("browser.search.searchEnginesURL", "");
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.search.update", false);
user_pref("browser.search.update.interval", -1);
user_pref("browser.send_pings.max_per_link", 0);
user_pref("browser.sessionhistory.max_entries", 4);
user_pref("browser.sessionstore.max_windows_undo", 2);
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.shell.skipDefaultBrowserCheckOnFirstRun", true);
user_pref("browser.slowStartup.averageTime", 0);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.slowstartup.help.url", "");
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.startup.homepage_override.buildID", "0");
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("browser.startup.page", 0);
user_pref("browser.tabs.closeWindowWithLastTab", false);
user_pref("browser.tabs.loadInBackground", false);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.clickSelectsAll", false);
user_pref("browser.urlbar.matchBehavior", 2);
user_pref("browser.urlbar.maxRichResults", 0);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.searches", false);
user_pref("browser.xul.error_pages.enabled", false);
user_pref("browser.zoom.siteSpecific", false);
user_pref("camera.control.face_detection.enabled", false);
user_pref("canvas.poisondata", true);
user_pref("capability.policy.maonoscript.sites", "192.168.178.1 about: about:addons about:blank about:blocked about:certerror about:config about:crashes about:feeds about:home about:memory about:neterror about:plugins about:preferences about:privatebrowsing about:sessionrestore about:srcdoc about:support about:tabcrashed blob: chrome: mediasource: moz-extension: moz-safe-about: resource:");
user_pref("captivedetect.canonicalURL", "");
user_pref("clipboard.autocopy", false);
user_pref("device.sensors.enabled", false);
user_pref("devtools.browserconsole.filter.csserror", false);
user_pref("devtools.browserconsole.filter.error", false);
user_pref("devtools.browserconsole.filter.exception", false);
user_pref("devtools.browserconsole.filter.info", false);
user_pref("devtools.browserconsole.filter.jslog", false);
user_pref("devtools.browserconsole.filter.jswarn", false);
user_pref("devtools.browserconsole.filter.log", false);
user_pref("devtools.browserconsole.filter.netwarn", false);
user_pref("devtools.browserconsole.filter.network", false);
user_pref("devtools.browserconsole.filter.secerror", false);
user_pref("devtools.browserconsole.filter.secwarn", false);
user_pref("devtools.browserconsole.filter.serviceworkers", false);
user_pref("devtools.browserconsole.filter.sharedworkers", false);
user_pref("devtools.chrome.enabled", true);
user_pref("devtools.command-buttion-splitconsole.enabled", false);
user_pref("devtools.command-button-frames.enabled", false);
user_pref("devtools.command-button-responsive.enabled", false);
user_pref("devtools.debugger.client-source-maps-enabled", false);
user_pref("devtools.debugger.enabled", false);
user_pref("devtools.debugger.prompt-connection", false);
user_pref("devtools.debugger.source-maps-enabled", false);
user_pref("devtools.devedition.promo.url", "");
user_pref("devtools.devices.url", "");
user_pref("devtools.errorconsole.deprecation_warnings", false);
user_pref("devtools.errorconsole.enabled", false);
user_pref("devtools.errorconsole.performance_warnings", false);
user_pref("devtools.gcli.imgurUploadURL", "");
user_pref("devtools.gcli.jquerySrc", "");
user_pref("devtools.gcli.lodashSrc", "");
user_pref("devtools.gcli.underscoreSrc", "");
user_pref("devtools.memory.enabled", false);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.remote.wifi.visible", false);
user_pref("devtools.telemetry.supported_performance_marks", "");
user_pref("devtools.telemetry.tools.opened.version", "");
user_pref("devtools.toolbox.selectedTool", "inspector");
user_pref("devtools.webconsole.filter.error", false);
user_pref("devtools.webconsole.filter.secerror", false);
user_pref("devtools.webconsole.inputHistoryCount", 4);
user_pref("devtools.webide.adaptersAddonURL", "");
user_pref("devtools.webide.adbAddonURL", "");
user_pref("devtools.webide.addonsURL", "");
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.webide.enabled", false);
user_pref("devtools.webide.simulatorAddonsURL", "");
user_pref("devtools.webide.templatesURL", "");
user_pref("dom.caches.enabled", false);
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true);
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
user_pref("dom.enable_performance", false);
user_pref("dom.enable_performance_navigation_timing", false);
user_pref("dom.enable_resource_timing", false);
user_pref("dom.enable_user_timing", false);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.event.contextmenu.enabled", false);
user_pref("dom.gamepad.enabled", false);
user_pref("dom.idle-observers-api.enabled", false);
user_pref("dom.indexedDB.enabled", false);
user_pref("dom.ipc.plugins.enabled", false);
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
user_pref("dom.ipc.plugins.reportCrashURL", false);
user_pref("dom.ipc.plugins.timeoutSecs", -1);
user_pref("dom.keyboardevent.code.enabled", false);
user_pref("dom.maxHardwareConcurrency", 2);
user_pref("dom.mms.requestReadReport", false);
user_pref("dom.mms.requestStatusReport", false);
user_pref("dom.popup_allowed_events", "change click dblclick mouseup pointerup notificationclick reset submit ");
user_pref("dom.popup_maximum", 1);
user_pref("dom.push.serverURL", "");
user_pref("dom.storage.enabled", false);
user_pref("dom.vibrator.enabled", false);
user_pref("dom.webaudio.enabled", false);
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.workers.enabled", false);
user_pref("extensions.@no-resource-uri-leak.sdk.baseURI", "resource://no-resource-uri-leak/");
user_pref("extensions.@no-resource-uri-leak.sdk.domain", "no-resource-uri-leak");
user_pref("extensions.@no-resource-uri-leak.sdk.load.reason", "startup");
user_pref("extensions.@no-resource-uri-leak.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/@no-resource-uri-leak.xpi!/");
user_pref("extensions.@no-resource-uri-leak.sdk.version", "1.1.0");
user_pref("extensions.@no-resource-uri-leak.uri.about.restricted", true);
user_pref("extensions.@no-resource-uri-leak.uri.chrome.blocking.enabled", true);
user_pref("extensions.CanvasBlocker@kkapsner.de.blockMode", "blockEverything");
user_pref("extensions.CanvasBlocker@kkapsner.de.sdk.baseURI", "resource://canvasblocker-at-kkapsner-dot-de/");
user_pref("extensions.CanvasBlocker@kkapsner.de.sdk.domain", "canvasblocker-at-kkapsner-dot-de");
user_pref("extensions.CanvasBlocker@kkapsner.de.sdk.load.reason", "startup");
user_pref("extensions.CanvasBlocker@kkapsner.de.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/CanvasBlocker@kkapsner.de.xpi!/");
user_pref("extensions.CanvasBlocker@kkapsner.de.sdk.version", "0.3.8-Release");
user_pref("extensions.CanvasBlocker@kkapsner.de.whiteList");
user_pref("extensions.CanvasBlocker@legacy.blockMode", "blockEverything");
user_pref("extensions.CanvasBlocker@legacy.protectWindow", true);
user_pref("extensions.CanvasBlocker@legacy.sdk.baseURI", "resource://canvasblocker-at-legacy/");
user_pref("extensions.CanvasBlocker@legacy.sdk.domain", "canvasblocker-at-legacy");
user_pref("extensions.CanvasBlocker@legacy.sdk.load.reason", "startup");
user_pref("extensions.CanvasBlocker@legacy.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/CanvasBlocker@legacy.xpi!/");
user_pref("extensions.CanvasBlocker@legacy.sdk.version", "0.2");
user_pref("extensions.CanvasBlocker@legacy.whiteList");
user_pref("extensions.PrivacyBadger@PaleMoon.doNotTrackDefaultEnabled", true);
user_pref("extensions.PrivacyBadger@PaleMoon.sdk.baseURI", "resource://privacybadger-at-palemoon/");
user_pref("extensions.PrivacyBadger@PaleMoon.sdk.domain", "privacybadger-at-palemoon");
user_pref("extensions.PrivacyBadger@PaleMoon.sdk.load.reason", "startup");
user_pref("extensions.PrivacyBadger@PaleMoon.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/PrivacyBadger@PaleMoon.xpi!/");
user_pref("extensions.PrivacyBadger@PaleMoon.sdk.version", "2.0.4");
user_pref("extensions.SecretAgent.EntropyLevel", "session");
user_pref("extensions.SecretAgent.ShowHijackRedirectAlerts", false);
user_pref("extensions.SecretAgent.ShowSpikeHijackRedirectAlerts", false);
user_pref("extensions.SecretAgent.SpikeHijackRedirectLocation", "about:blank");
user_pref("extensions.SecretAgent.SpikeHijackRedirects", true);
user_pref("extensions.SecretAgent.UserAgentList"Privoxy/1.0
Privoxy/1.0)");
user_pref("extensions.SecretAgent.Whitelist", "fr2.rpmfind.net
*.pro-linux.de
*.ebay.*
*.palemoon.org
");
user_pref("extensions.SecretAgent.WhitelistAcceptBehaviour", "override");
user_pref("extensions.SecretAgent.WhitelistOSCPUBehaviour", "override");
user_pref("extensions.SecretAgent.WhitelistUserAgent", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
user_pref("extensions.SecretAgent.WhitelistUserAgentBehaviour", "override");
user_pref("extensions.SecretAgent.showStartupAlert", false);
user_pref("extensions.adblockplus.currentVersion", "5.0.8");
user_pref("extensions.adblockplus.documentation_link", "");
user_pref("extensions.adblockplus.notificationdata", "{\"lastCheck\":1578864747154,\"softExpiration\":1566545165716,\"hardExpiration\":1543866785218,\"data\":{\"notifications\":[],\"version\":\"201812011851\"},\"lastError\":1578843883688,\"downloadStatus\":\"synchronize_invalid_url\",\"downloadCount\":46}");
user_pref("extensions.adblockplus.notificationurl", "");
user_pref("extensions.adblockplus.report_submiturl", "");
user_pref("extensions.adblockplus.subscriptions_antiadblockurl", "");
user_pref("extensions.adblockplus.subscriptions_autoupdate", false);
user_pref("extensions.adblockplus.subscriptions_exceptionsurl", "");
user_pref("extensions.adblockplus.subscriptions_fallbackurl", "");
user_pref("extensions.adblockplus.subscriptions_listurl", "");
user_pref("extensions.blocklist.detailsURL", "");
user_pref("extensions.blocklist.itemURL", "");
user_pref("extensions.blocklist.pingCountTotal", 209);
user_pref("extensions.blocklist.pingCountVersion", -1);
user_pref("extensions.blocklist.url", "");
user_pref("extensions.bootstrappedAddons", "{\"rpcontinued@amo.requestpolicy.org\":{\"version\":\"1.0.beta13.2\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/rpcontinued@amo.requestpolicy.org.xpi\",\"multiprocessCompatible\":false},\"@no-resource-uri-leak\":{\"version\":\"1.1.0\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/@no-resource-uri-leak.xpi\",\"multiprocessCompatible\":true},\"CanvasBlocker@legacy\":{\"version\":\"0.2\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/CanvasBlocker@legacy.xpi\",\"multiprocessCompatible\":true},\"jid1-BoFifL9Vbdl2zQ@jetpack\":{\"version\":\"1.4.2\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/jid1-BoFifL9Vbdl2zQ@jetpack.xpi\",\"multiprocessCompatible\":true},\"{b5af16a6-105d-4a14-a5a6-c2b358b06a04}\":{\"version\":\"1.2.2.010\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.xpi\",\"multiprocessCompatible\":true},\"jid1-4fe6b55d552d870d@jetpack\":{\"version\":\"0.7.7\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/jid1-4fe6b55d552d870d@jetpack.xpi\",\"multiprocessCompatible\":false},\"adblocklatitude@addons.palemoon.org\":{\"version\":\"5.0.8\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/adblocklatitude@addons.palemoon.org.xpi\",\"multiprocessCompatible\":false},\"eMatrix@vannilla.org\":{\"version\":\"4.3.2\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/eMatrix@vannilla.org.xpi\",\"multiprocessCompatible\":false},\"PrivacyBadger@PaleMoon\":{\"version\":\"2.0.4\",\"type\":\"extension\",\"descriptor\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/PrivacyBadger@PaleMoon.xpi\",\"multiprocessCompatible\":false}}");
user_pref("extensions.changerefererbutton.showInStatusBar", true);
user_pref("extensions.compatibility.url", "");
user_pref("extensions.cookieController.1stPartyOnlyCount", 3);
user_pref("extensions.cookieController.allowCookiesCount", 23);
user_pref("extensions.cookieController.safeMode", true);
user_pref("extensions.cookieController.sessionOnlyCount", 1);
user_pref("extensions.databaseSchema", 16);
user_pref("extensions.disable-about-something@clear-code.com.about.accounts", false);
user_pref("extensions.disable-about-something@clear-code.com.about.addons", true);
user_pref("extensions.disable-about-something@clear-code.com.about.config", true);
user_pref("extensions.disable-about-something@clear-code.com.about.downloads", false);
user_pref("extensions.disable-about-something@clear-code.com.about.permissions", false);
user_pref("extensions.disable-about-something@clear-code.com.about.profiles", false);
user_pref("extensions.disable-about-something@clear-code.com.about.sync-*", false);
user_pref("extensions.eclipsedmoon.device.laptop.useragent", "");
user_pref("extensions.eclipsedmoon.device.laptop.weights.os", "Linux = 1
Mac = 9
Windows = 13
");
user_pref("extensions.eclipsedmoon.device.laptop.weights.ua", "Vivaldi = 3
Firefox = 5
Chrome = 6
Other = 21");
user_pref("extensions.eclipsedmoon.mode", "smart");
user_pref("extensions.eclipsedmoon.staticUserAgent", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
user_pref("extensions.ematrix.cloudStorage.myRulesPane", "");
user_pref("extensions.ematrix.legacyToolbarButtonAdded", true);
user_pref("extensions.ematrix.paneContentPaddingTop", "86px");
user_pref("extensions.enabledAddons", "%7B8eb2e77d-73aa-4620-a9dd-9ddae0602172%7D:0.5,blockcont%40mdsy:0.3,%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.9.0.13,pure-url%40palemoon:3.1.4,%7B8e05f2af-03be-443e-a2b5-b4375a3a1930%7D:3.3.0,SecretAgent%40Dephormation.org.uk:1.35,%7Bc3303c6e-5424-41a3-8e65-255687a94434%7D:2.3");
user_pref("extensions.getAddons.browseAddons", "");
user_pref("extensions.getAddons.get.url", "");
user_pref("extensions.getAddons.getWithPerformance.url", "");
user_pref("extensions.getAddons.recommended.browseURL", "");
user_pref("extensions.getAddons.recommended.url", "");
user_pref("extensions.getAddons.search.browseURL", "");
user_pref("extensions.getAddons.search.url", "");
user_pref("extensions.getMoreThemesURL", "");
user_pref("extensions.jid1-4fe6b55d552d870d@jetpack.sdk.baseURI", "resource://jid1-4fe6b55d552d870d-at-jetpack/");
user_pref("extensions.jid1-4fe6b55d552d870d@jetpack.sdk.domain", "jid1-4fe6b55d552d870d-at-jetpack");
user_pref("extensions.jid1-4fe6b55d552d870d@jetpack.sdk.load.reason", "startup");
user_pref("extensions.jid1-4fe6b55d552d870d@jetpack.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/jid1-4fe6b55d552d870d@jetpack.xpi!/");
user_pref("extensions.jid1-4fe6b55d552d870d@jetpack.sdk.version", "0.7.7");
user_pref("extensions.jid1-BoFifL9Vbdl2zQ@jetpack.sdk.baseURI", "resource://jid1-bofifl9vbdl2zq-at-jetpack/");
user_pref("extensions.jid1-BoFifL9Vbdl2zQ@jetpack.sdk.domain", "jid1-bofifl9vbdl2zq-at-jetpack");
user_pref("extensions.jid1-BoFifL9Vbdl2zQ@jetpack.sdk.load.reason", "startup");
user_pref("extensions.jid1-BoFifL9Vbdl2zQ@jetpack.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/jid1-BoFifL9Vbdl2zQ@jetpack.xpi!/");
user_pref("extensions.jid1-BoFifL9Vbdl2zQ@jetpack.sdk.version", "1.4.2");
user_pref("extensions.lastAppVersion", "28.13.0");
user_pref("extensions.lastPlatformVersion", "4.6.0");
user_pref("extensions.mdsy.block.font", true);
user_pref("extensions.mdsy.block.media", true);
user_pref("extensions.mdsy.block.object", true);
user_pref("extensions.mdsy.block.xhr", true);
user_pref("extensions.pcookie.allowCookiesCount", 2);
user_pref("extensions.pcookie.firstRun", false);
user_pref("extensions.pcookie.sessionOnlyCount", 8);
user_pref("extensions.pendingOperations", false);
user_pref("extensions.permissionsplus.firstrun", false);
user_pref("extensions.pm-localeswitch{at}palemoon{dot}org.isFirstRun", false);
user_pref("extensions.pm-localeswitch{at}palemoon{dot}org.lastRecordedVersion", "v3.0");
user_pref("extensions.pure-url@palemoon.firstrun", false);
user_pref("extensions.pure-url@palemoon.garbage_fields", "action_object_map,action_ref_map,action_type_map,amp,_branch_match_id,ch@quora.com,cid,correlation_id,deep_link,fb_action_ids,fb_action_types,fbclid,fbrefresh,fb_ref,fb_source,feature@youtube.com,fref@facebook.com,ga_campaign,ga_content,ga_medium,ga_place,ga_source,ga_term,gclid,gs_l,hc_location@facebook.com,hc_ref@facebook.com,hilit,igshid,mbid,m@blogspot.com,midToken@linkedin.com,_nc_cat,_openstat,partner,pcampaignid,pfmredir,ref@amazon.in,ref@facebook.com,refId@linkedin.com,ref_@imdb.com,ref_src,sdsrc,sfnsn,share@quora.com,source@medium.com,src@addons.mozilla.org,srid,theater,__tn__,trk,trkEmail@linkedin.com,__twitter_impression,uclick,uclickhash,utm_brand,utm_campaign,utm_content,utm_cta,utm_medium,utm_name,utm_place,utm_reader,utm_social-type,utm_source,utm_term,ved,__xts__,yclid");
user_pref("extensions.pure-url@palemoon.request_hook_enabled", false);
user_pref("extensions.pure-url@palemoon.shorteners", "");
user_pref("extensions.pure-url@palemoon.toolsmenu", true);
user_pref("extensions.requestpolicy.allowedOriginsToDestinations", "");
user_pref("extensions.requestpolicy.defaultPolicy.allowSameDomain", false);
user_pref("extensions.requestpolicy.initialSetupDialogShown", false);
user_pref("extensions.requestpolicy.lastAppVersion", "28.13.0");
user_pref("extensions.requestpolicy.lastVersion", "1.0.beta13.2");
user_pref("extensions.requestpolicy.privateBrowsingPermanentWhitelisting", true);
user_pref("extensions.requestpolicy.welcomeWindowShown", true);
user_pref("extensions.sdk-button-location.action-button--1607f7ec-8262-4016-b51f-f9f5b43d43f1-self-destructing-cookies", "nav-bar,action-button--b5af16a6-105d-4a14-a5a6-c2b358b06a04-js-btn-show");
user_pref("extensions.sdk-button-location.action-button--b5af16a6-105d-4a14-a5a6-c2b358b06a04-js-btn-show", "nav-bar,");
user_pref("extensions.sdk-button-location.toggle-button--privacybadgerpalemoon-pb-button", "nav-bar,change-referer-button-toolbarbutton");
user_pref("extensions.shownSelectionUI", true);
user_pref("extensions.torbutton.security_slider", 1);
user_pref("extensions.torbutton.startup", true);
user_pref("extensions.torlauncher.torrc_fixup_version", 2);
user_pref("extensions.ui.dictionary.hidden", true);
user_pref("extensions.ui.lastCategory", "addons://list/extension");
user_pref("extensions.ui.locale.hidden", true);
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("extensions.update.background.url", "");
user_pref("extensions.update.enabled", false);
user_pref("extensions.update.url", "");
user_pref("extensions.webservice.discoverURL", "");
user_pref("extensions.xpiState", "{\"app-profile\":{\"PrivacyBadger@PaleMoon\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/PrivacyBadger@PaleMoon.xpi\",\"e\":true,\"v\":\"2.0.4\",\"st\":1597329690000},\"jid1-4fe6b55d552d870d@jetpack\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/jid1-4fe6b55d552d870d@jetpack.xpi\",\"e\":true,\"v\":\"0.7.7\",\"st\":1596553373000},\"SecretAgent@Dephormation.org.uk\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/SecretAgent@Dephormation.org.uk.xpi\",\"e\":true,\"v\":\"1.35\",\"st\":1597496382000},\"{8e05f2af-03be-443e-a2b5-b4375a3a1930}\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{8e05f2af-03be-443e-a2b5-b4375a3a1930}.xpi\",\"e\":true,\"v\":\"3.3.0\",\"st\":1596573917000},\"{c3303c6e-5424-41a3-8e65-255687a94434}\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{c3303c6e-5424-41a3-8e65-255687a94434}.xpi\",\"e\":true,\"v\":\"2.3\",\"st\":1598213977000},\"pure-url@palemoon\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/pure-url@palemoon.xpi\",\"e\":true,\"v\":\"3.1.4\",\"st\":1596553405000},\"@no-resource-uri-leak\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/@no-resource-uri-leak.xpi\",\"e\":true,\"v\":\"1.1.0\",\"st\":1596432454000},\"blockcont@mdsy\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/blockcont@mdsy.xpi\",\"e\":true,\"v\":\"0.3\",\"st\":1596579783000},\"jid1-BoFifL9Vbdl2zQ@jetpack\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/jid1-BoFifL9Vbdl2zQ@jetpack.xpi\",\"e\":true,\"v\":\"1.4.2\",\"st\":1596553177000},\"rpcontinued@amo.requestpolicy.org\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/rpcontinued@amo.requestpolicy.org.xpi\",\"e\":true,\"v\":\"1.0.beta13.2\",\"st\":1596432107000},\"{b5af16a6-105d-4a14-a5a6-c2b358b06a04}\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.xpi\",\"e\":true,\"v\":\"1.2.2.010\",\"st\":1596553313000},\"adblocklatitude@addons.palemoon.org\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/adblocklatitude@addons.palemoon.org.xpi\",\"e\":true,\"v\":\"5.0.8\",\"st\":1596573681000},\"{73a6fe31-595d-460b-a920-fcc0f8843232}\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi\",\"e\":true,\"v\":\"2.9.0.13\",\"st\":1596574093000},\"eMatrix@vannilla.org\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/eMatrix@vannilla.org.xpi\",\"e\":true,\"v\":\"4.3.2\",\"st\":1596576963000},\"CanvasBlocker@legacy\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/CanvasBlocker@legacy.xpi\",\"e\":true,\"v\":\"0.2\",\"st\":1596553098000},\"{8eb2e77d-73aa-4620-a9dd-9ddae0602172}\":{\"d\":\"/home/surfuser/.moonchild productions/pale moon/profile.default/extensions/{8eb2e77d-73aa-4620-a9dd-9ddae0602172}.xpi\",\"e\":true,\"v\":\"0.5\",\"st\":1574887251000}}}");
user_pref("extensions.{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.sdk.baseURI", "resource://b5af16a6-105d-4a14-a5a6-c2b358b06a04/");
user_pref("extensions.{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.sdk.domain", "b5af16a6-105d-4a14-a5a6-c2b358b06a04");
user_pref("extensions.{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.sdk.load.reason", "startup");
user_pref("extensions.{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.sdk.rootURI", "jar:file:///home/surfuser/.moonchild%20productions/pale%20moon/profile.default/extensions/%7Bb5af16a6-105d-4a14-a5a6-c2b358b06a04%7D.xpi!/");
user_pref("extensions.{b5af16a6-105d-4a14-a5a6-c2b358b06a04}.sdk.version", "1.2.2.010");
user_pref("font.blacklist.underline_offset", "");
user_pref("font.default.x-western", "sans-serif");
user_pref("font.internaluseonly.changed", true);
user_pref("font.language.group", "x-western");
user_pref("gecko.handlerService.schemes.irc.0.name", "");
user_pref("gecko.handlerService.schemes.irc.0.uriTemplate", "");
user_pref("gecko.handlerService.schemes.irc.1.name", "");
user_pref("gecko.handlerService.schemes.irc.1.uriTemplate", "");
user_pref("gecko.handlerService.schemes.irc.2.name", "");
user_pref("gecko.handlerService.schemes.irc.2.uriTemplate", "");
user_pref("gecko.handlerService.schemes.irc.3.name", "");
user_pref("gecko.handlerService.schemes.irc.3.uriTemplate", "");
user_pref("gecko.handlerService.schemes.ircs.0.name", "");
user_pref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
user_pref("gecko.handlerService.schemes.ircs.1.name", "");
user_pref("gecko.handlerService.schemes.ircs.1.uriTemplate", "");
user_pref("gecko.handlerService.schemes.ircs.2.name", "");
user_pref("gecko.handlerService.schemes.ircs.2.uriTemplate", "");
user_pref("gecko.handlerService.schemes.ircs.3.name", "");
user_pref("gecko.handlerService.schemes.ircs.3.uriTemplate", "");
user_pref("gecko.handlerService.schemes.mailto.0.name", "");
user_pref("gecko.handlerService.schemes.mailto.0.uriTemplate", "");
user_pref("gecko.handlerService.schemes.mailto.1.name", "");
user_pref("gecko.handlerService.schemes.mailto.1.uriTemplate", "");
user_pref("gecko.handlerService.schemes.mailto.2.name", "");
user_pref("gecko.handlerService.schemes.mailto.2.uriTemplate", "");
user_pref("gecko.handlerService.schemes.mailto.3.name", "");
user_pref("gecko.handlerService.schemes.mailto.3.uriTemplate", "");
user_pref("gecko.handlerService.schemes.webcal.0.name", "");
user_pref("gecko.handlerService.schemes.webcal.0.uriTemplate", "");
user_pref("gecko.handlerService.schemes.webcal.1.name", "");
user_pref("gecko.handlerService.schemes.webcal.1.uriTemplate", "");
user_pref("gecko.handlerService.schemes.webcal.2.name", "");
user_pref("gecko.handlerService.schemes.webcal.2.uriTemplate", "");
user_pref("gecko.handlerService.schemes.webcal.3.name", "");
user_pref("gecko.handlerService.schemes.webcal.3.uriTemplate", "");
user_pref("general.useragent.compatMode", 0);
user_pref("general.useragent.compatMode.firefox", false);
user_pref("general.useragent.compatMode.gecko", false);
user_pref("general.useragent.compatMode.version", "");
user_pref("general.useragent.site_specific_overrides", false);
user_pref("general.useragent.updates.enabled", false);
user_pref("general.useragent.updates.interval", 0);
user_pref("general.useragent.updates.lastupdated", "0");
user_pref("general.useragent.updates.retry", 0);
user_pref("general.useragent.updates.url", "");
user_pref("general.warnOnAboutConfig", false);
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "");
user_pref("gestures.enable_single_finger_input", false);
user_pref("gfx.blacklist.canvas2d.acceleration.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.direct2d.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.direct3d11angle.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.hardwarevideodecoding.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d10-1.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d10.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d11.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d9.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.opengl.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.stagefright.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.angle.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.msaa.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.opengl.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration.decode.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration.encode.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.canvas.skiagl.dynamic-cache", false);
user_pref("gfx.direct2d.disabled", true);
user_pref("gfx.downloadable_fonts.disable_cache", true);
user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
user_pref("identity.fxaccounts.auth.uri", "");
user_pref("idle.lastDailyNotification", 1599826369);
user_pref("image.cache.size", 0);
user_pref("intl.accept_languages", "en-us");
user_pref("intl.charset.fallback.override", "UTF-8");
user_pref("javascript.enabled", false);
user_pref("javascript.options.wasm", false);
user_pref("javascript.options.wasm_baselinejit", false);
user_pref("keyword.enabled", false);
user_pref("layers.shared-buffer-provider.enabled", false);
user_pref("layout.css.font-loading-api.enabled", false);
user_pref("layout.css.prefixes.font-features", false);
user_pref("layout.css.visited_links_enabled", false);
user_pref("layout.spellcheckDefault", 0);
user_pref("lightweightThemes.update.enabled", false);
user_pref("mathml.disabled", true);
user_pref("media.autoplay.enabled", false);
user_pref("media.cache_size", 0);
user_pref("media.decoder-doctor.notifications-allowed", "");
user_pref("media.encoder.webm.enabled", false);
user_pref("media.ffmpeg.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.gmp-manager.certs.1.commonName", "");
user_pref("media.gmp-manager.certs.2.commonName", "");
user_pref("media.gmp-manager.url", "");
user_pref("media.hardware-video-decoding.enabled", false);
user_pref("media.mediasource.enabled", false);
user_pref("media.mediasource.mp4.enabled", false);
user_pref("media.mediasource.webm.audio.enabled", false);
user_pref("media.mediasource.webm.enabled", false);
user_pref("media.mp4.enabled", false);
user_pref("media.ogg.enabled", false);
user_pref("media.ogg.flac.enabled", false);
user_pref("media.ondevicechange.enabled", false);
user_pref("media.opus.enabled", false);
user_pref("media.play-stand-alone", false);
user_pref("media.seekToNextFrame.enabled", false);
user_pref("media.video-queue.default-size", 0);
user_pref("media.video_stats.enabled", false);
user_pref("media.wave.enabled", false);
user_pref("media.webaudio.enabled", false);
user_pref("media.webm.enabled", false);
user_pref("network.allow-experiments", false);
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.cookie.prefsMigrated", true);
user_pref("network.dns.blockDotOnion", false);
user_pref("network.dns.disableIPv6", true);
user_pref("network.dnsCacheEntries", 0);
user_pref("network.http.accept.default", "application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
user_pref("network.http.max-connections", 16);
user_pref("network.http.pipelining", false);
user_pref("network.http.pipelining.reschedule-on-timeout", false);
user_pref("network.http.pipelining.ssl", false);
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.spoofSource", true);
user_pref("network.http.referer.trimmingPolicy", 2);
user_pref("network.http.sendRefererHeader", 0);
user_pref("network.http.spdy.allow-push", false);
user_pref("network.http.spdy.coalesce-hostnames", false);
user_pref("network.notify.IPv6", false);
user_pref("network.protocol-handler.warn-external-default", false);
user_pref("network.proxy.no_proxies_on", ".pro-linux.de, .rpmfind.net, .palemoon.org");
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.type", 1);
user_pref("network.websocket.max-connections", 1);
user_pref("network.websocket.max-message-size", 1);
user_pref("network.websocket.timeout.close", 1);
user_pref("network.websocket.timeout.open", 1);
user_pref("network.websocket.timeout.ping.response", 1);
user_pref("noscript.ABE.cspHeaderDelim", "ABE0-28605766426066737");
user_pref("noscript.ABE.migration", 1);
user_pref("noscript.ABE.wanIpCheckURL", "");
user_pref("noscript.allowHttpsOnly", 2);
user_pref("noscript.allowWhitelistUpdates", false);
user_pref("noscript.cascadePermissions", true);
user_pref("noscript.clearClick.exceptions", "");
user_pref("noscript.clearClick.subexceptions", "");
user_pref("noscript.contentBlocker", true);
user_pref("noscript.default", "about:blank about:pocket-signup about:pocket-saved");
user_pref("noscript.filterXExceptions", "^https?://[a-z]+\.wikipedia\.org/wiki/[^\"<>?%]+$
");
user_pref("noscript.firstRunRedirection", false);
user_pref("noscript.firstRunRedirection.pending", "5.1.8.7");
user_pref("noscript.fixLinks", false);
user_pref("noscript.forbidBGRefresh.exceptions", "");
user_pref("noscript.forbidBookmarklets", true);
user_pref("noscript.forbidIFrames", true);
user_pref("noscript.forbidMetaRefresh", true);
user_pref("noscript.forbidMetaRefresh.exceptions", "");
user_pref("noscript.forbidWebGL", true);
user_pref("noscript.frameOptions.parentWhitelist", "");
user_pref("noscript.global", true);
user_pref("noscript.gtemp", "");
user_pref("noscript.httpsForced", "*");
user_pref("noscript.httpsForcedBuiltIn", "");
user_pref("noscript.httpsForcedExceptions", "mirror.centos.org
ftp.scientificlinux.org
ftp.pbone.net
ftp.ntua.gr
archive.ubuntu.com
");
user_pref("noscript.ignorePorts", false);
user_pref("noscript.inclusionTypeChecking.exceptions", "");
user_pref("noscript.notify", false);
user_pref("noscript.notify.bottom", false);
user_pref("noscript.notify.hide", true);
user_pref("noscript.notify.hideDelay", 2);
user_pref("noscript.options.tabSelectedIndexes", "1,1,2");
user_pref("noscript.restrictSubdocScripting", true);
user_pref("noscript.showAddress", true);
user_pref("noscript.showDomain", true);
user_pref("noscript.siteInfoProvider", "");
user_pref("noscript.statusLabel", true);
user_pref("noscript.subscription.lastCheck", 2112788290);
user_pref("noscript.surrogate.360Haven.sources", "");
user_pref("noscript.surrogate.ab_adsense.sources", "");
user_pref("noscript.surrogate.ab_adtiger.sources", "");
user_pref("noscript.surrogate.ab_bidvertiser.sources", "");
user_pref("noscript.surrogate.ab_binlayer.sources", "");
user_pref("noscript.surrogate.ab_mirago.sources", "");
user_pref("noscript.surrogate.ab_mirando.sources", "");
user_pref("noscript.surrogate.adagionet.sources", "");
user_pref("noscript.surrogate.addthis.sources", "");
user_pref("noscript.surrogate.adfly.sources", "");
user_pref("noscript.surrogate.amo.sources", "");
user_pref("noscript.surrogate.digg.sources", "");
user_pref("noscript.surrogate.dimtus.sources", "");
user_pref("noscript.surrogate.disqus-theme.sources", "");
user_pref("noscript.surrogate.ga.sources", "");
user_pref("noscript.surrogate.gigya.sources", "");
user_pref("noscript.surrogate.glinks.sources", "");
user_pref("noscript.surrogate.googleThumbs.sources", "");
user_pref("noscript.surrogate.googletag.sources", "");
user_pref("noscript.surrogate.gravatar.sources", "");
user_pref("noscript.surrogate.imagebam.sources", "");
user_pref("noscript.surrogate.imagebunk.sources", "");
user_pref("noscript.surrogate.imdb.sources", "");
user_pref("noscript.surrogate.imgreserve.sources", "");
user_pref("noscript.surrogate.interstitialBox.sources", "");
user_pref("noscript.surrogate.invodo.sources", "");
user_pref("noscript.surrogate.microsoftSupport.sources", "");
user_pref("noscript.surrogate.nscookie.sources", "");
user_pref("noscript.surrogate.picbucks.sources", "");
user_pref("noscript.surrogate.picsee.sources", "");
user_pref("noscript.surrogate.plusone.sources", "");
user_pref("noscript.surrogate.popunder.exceptions", "");
user_pref("noscript.surrogate.qs.sources", "");
user_pref("noscript.surrogate.skimlinks.sources", "");
user_pref("noscript.surrogate.stripe.sources", "");
user_pref("noscript.surrogate.twitter.sources", "");
user_pref("noscript.surrogate.uniblue.sources", "");
user_pref("noscript.surrogate.yieldman.sources", "");
user_pref("noscript.temp", "");
user_pref("noscript.untrusted", "127777.com ad-js.chip.de addthis.com admeira.ch adnxs.com adobedtm.com adrivo.com ads-twitter.com adsafeprotected.com adscale.de adserver.trojaner-info.de adtech.de adtm.chip.de ajax.googleapis.com akamaihd.net amazon-adsystem.com apa.at aspnetcdn.com assets-cdn.github.com assets.mtb-news.de assets.pons.com backbeatmedia.com bdi-services.de bf-ad.net bf-tools.net bootstrapcdn.com braintreegateway.com brightcove.net btstatic.com byu.edu cbsistatic.com cdn-dena.com cdn3.tekrevue.com cdn6.wn.com chartbeat.com clicktripz.com cloudflare.com cmp2.pcwelt.de cookielaw.org coveo.com d2zv5rkii46miq.cloudfront.net dealer.com deviantart.net disqus.com dropbox.com dynamicyield.com ensighten.com epfl.ch epoq.de etracker.com facebook.net fastly-insights.com filestorage.chip.de fontawesome.com geoedge.be go-mpulse.net google-analytics.com google.com googleadservices.com googlesyndication.com googletagmanager.com googletagservices.com gravatar.com gstatic.com h-bid.com hs-scripts.com hscta.net indexww.com instagram.com ioam.de jobs.net jquery.com jumpstarttaggingsolutions.com ligatus.com lots.co.in lp4.io maps.googleapis.com maxcdn.com mhcache.com mps-gba.de myvisualiq.net neads.delivery netdna-ssl.com onesignal.com onthe.io openx.net opinary.com opta.net optimizely.com outbrain.com p7s1.com parastorage.com permutive.com pinterest.com pixel-static.spotify.com polldaddy.com pololu-files.com polyfill.io ravenjs.com redhat.com regmedia.co.uk reutersmedia.net s2-prod.cornwalllive.com s3.reutersmedia.net s4.reutersmedia.net scdn.co sekindo.com servedby-buysellads.com shareaholic.com sharethis.com siteswithcontent.com skimresources.com smartredirect.de speedcurve.com static.ancientfaces.com static.zdassets.com staticcontent.fxstreet.com stats.wp.com stripe.com stroeerdigitalgroup.de subscribers.com teads.tv thomsonreuters.com tinypass.com tiqcdn.com tm-awx.com twimg.com twitter.com typekit.net usercentrics.eu vi-serve.com webmasterplan.com wordpress.com wp.com www.google.com www.instagram.com www8.hp.com yieldlove.com youtube.com zdassets.com zendesk.com http://127777.com http://addthis.com http://admeira.ch http://adnxs.com http://adobedtm.com http://adrivo.com http://ads-twitter.com http://adsafeprotected.com http://adscale.de http://adtech.de http://akamaihd.net http://amazon-adsystem.com http://apa.at http://aspnetcdn.com http://backbeatmedia.com http://bdi-services.de http://bf-ad.net http://bf-tools.net http://bootstrapcdn.com http://braintreegateway.com http://brightcove.net http://btstatic.com http://byu.edu http://cbsistatic.com http://cdn-dena.com http://chartbeat.com http://clicktripz.com http://cloudflare.com http://cookielaw.org http://coveo.com http://dealer.com http://deviantart.net http://disqus.com http://dropbox.com http://dynamicyield.com http://ensighten.com http://epfl.ch http://epoq.de http://etracker.com http://facebook.net http://fastly-insights.com http://fontawesome.com http://geoedge.be http://go-mpulse.net http://google-analytics.com http://google.com http://googleadservices.com http://googlesyndication.com http://googletagmanager.com http://googletagservices.com http://gravatar.com http://gstatic.com http://h-bid.com http://hs-scripts.com http://hscta.net http://indexww.com http://instagram.com http://ioam.de http://jobs.net http://jquery.com http://jumpstarttaggingsolutions.com http://ligatus.com http://lp4.io http://maxcdn.com http://mhcache.com http://mps-gba.de http://myvisualiq.net http://neads.delivery http://netdna-ssl.com http://onesignal.com http://onthe.io http://openx.net http://opinary.com http://opta.net http://optimizely.com http://outbrain.com http://p7s1.com http://parastorage.com http://permutive.com http://pinterest.com http://polldaddy.com http://pololu-files.com http://polyfill.io http://ravenjs.com http://redhat.com http://reutersmedia.net http://scdn.co http://sekindo.com http://servedby-buysellads.com http://shareaholic.com http://sharethis.com http://siteswithcontent.com http://skimresources.com http://smartredirect.de http://speedcurve.com http://stripe.com http://stroeerdigitalgroup.de http://subscribers.com http://teads.tv http://thomsonreuters.com http://tinypass.com http://tiqcdn.com http://tm-awx.com http://twimg.com http://twitter.com http://typekit.net http://usercentrics.eu http://vi-serve.com http://webmasterplan.com http://wordpress.com http://wp.com http://yieldlove.com http://youtube.com http://zdassets.com http://zendesk.com https://127777.com https://addthis.com https://admeira.ch https://adnxs.com https://adobedtm.com https://adrivo.com https://ads-twitter.com https://adsafeprotected.com https://adscale.de https://adserver.idg.de https://adtech.de https://akamaihd.net https://amazon-adsystem.com https://apa.at https://aspnetcdn.com https://backbeatmedia.com https://bdi-services.de https://bf-ad.net https://bf-tools.net https://bootstrapcdn.com https://braintreegateway.com https://brightcove.net https://btstatic.com https://byu.edu https://cbsistatic.com https://cdn-client.medium.com https://cdn-dena.com https://cdn.afterdawn.fi https://cdn.netzpolitik.org https://chartbeat.com https://clicktripz.com https://cloudflare.com https://cmp.chip.de https://cmp.focus.de https://cookielaw.org https://coveo.com https://dealer.com https://deviantart.net https://dialogue.sp-prod.net https://disqus.com https://dr.habracdn.net https://dropbox.com https://dynamicyield.com https://ensighten.com https://epfl.ch https://epoq.de https://etracker.com https://facebook.net https://fastly-insights.com https://fontawesome.com https://geoedge.be https://go-mpulse.net https://google-analytics.com https://google.com https://googleadservices.com https://googlesyndication.com https://googletagmanager.com https://googletagservices.com https://gravatar.com https://gstatic.com https://h-bid.com https://hs-scripts.com https://hscta.net https://hsto.org https://indexww.com https://instagram.com https://ioam.de https://jobs.net https://jquery.com https://jumpstarttaggingsolutions.com https://ligatus.com https://lp4.io https://maxcdn.com https://mhcache.com https://mps-gba.de https://myvisualiq.net https://neads.delivery https://netdna-ssl.com https://onesignal.com https://onthe.io https://openx.net https://opinary.com https://opta.net https://optimizely.com https://outbrain.com https://p7s1.com https://parastorage.com https://permutive.com https://pinterest.com https://polldaddy.com https://pololu-files.com https://polyfill.io https://ravenjs.com https://redhat.com https://reutersmedia.net https://s3-eu-central-1.amazonaws.com https://s3.amazonaws.com https://scdn.co https://sekindo.com https://servedby-buysellads.com https://shareaholic.com https://sharethis.com https://siteswithcontent.com https://skimresources.com https://smartredirect.de https://speedcurve.com https://static.cdn.prismic.io https://static.cleverpush.com https://static.criteo.net https://static.faz.net https://static.zeit.de https://stripe.com https://stroeerdigitalgroup.de https://subscribers.com https://teads.tv https://thomsonreuters.com https://tinypass.com https://tiqcdn.com https://tm-awx.com https://twimg.com https://twitter.com https://typekit.net https://unpkg.com https://usercentrics.eu https://vi-serve.com https://webmasterplan.com https://wordpress.com https://wp.com https://www.afterdawn.dk https://www.tagesschau.de https://yieldlove.com https://youtube.com https://zdassets.com https://zdwidget3-bs.sphereup.com https://zendesk.com");
user_pref("noscript.version", "2.9.0.13");
user_pref("noscript.visibleUIChecked", true);
user_pref("noscript.xss.checkInclusions.exceptions", "");
user_pref("offline-apps.allow_by_default", false);
user_pref("offline-apps.permissions", 0);
user_pref("permissions.default.image", 3);
user_pref("permissions.default.object", 3);
user_pref("permissions.default.script", 3);
user_pref("permissions.default.stylesheet", 3);
user_pref("permissions.default.subdocument", 3);
user_pref("places.database.lastMaintenance", 1599512467);
user_pref("places.frecency.unvisitedBookmarkBonus", 0);
user_pref("places.history.enabled", false);
user_pref("places.history.expiration.transient_current_max_pages", 22381);
user_pref("plugin.default.state", 0);
user_pref("plugins.click_to_play", false);
user_pref("plugins.update.url", "");
user_pref("pref.browser.language.disable_button.down", false);
user_pref("pref.general.disable_button.default_browser", false);
user_pref("pref.privacy.disable_button.cookie_exceptions", false);
user_pref("print.print_bgcolor", false);
user_pref("print.print_bgimages", false);
user_pref("print.print_duplex", 0);
user_pref("print.print_evenpages", true);
user_pref("print.print_in_color", true);
user_pref("print.print_margin_bottom", "0.5");
user_pref("print.print_margin_left", "0.5");
user_pref("print.print_margin_right", "0.5");
user_pref("print.print_margin_top", "0.5");
user_pref("print.print_oddpages", true);
user_pref("print.print_orientation", 0);
user_pref("print.print_page_delay", 50);
user_pref("print.print_paper_data", 0);
user_pref("print.print_paper_height", " 11,69");
user_pref("print.print_paper_name", "iso_a4");
user_pref("print.print_paper_size_unit", 0);
user_pref("print.print_paper_width", " 8,27");
user_pref("print.print_scaling", " 1,00");
user_pref("print.print_shrink_to_fit", true);
user_pref("print.print_to_file", false);
user_pref("print.print_to_filename", "/home/secret/Dokumente/mozilla.pdf");
user_pref("print.print_unwriteable_margin_bottom", 56);
user_pref("print.print_unwriteable_margin_left", 25);
user_pref("print.print_unwriteable_margin_right", 25);
user_pref("print.print_unwriteable_margin_top", 25);
user_pref("print_printer", "Brother-DCP-115C");
user_pref("privacy.clearOnShutdown.connectivityData", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.passwords", true);
user_pref("privacy.clearOnShutdown.siteSettings", true);
user_pref("privacy.cpd.connectivityData", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", true);
user_pref("privacy.cpd.siteSettings", true);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.donottrackheader.value", 1);
user_pref("privacy.item.cookies", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.popups.showBrowserMessage", false);
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.migrateFx3Prefs", true);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.sanitize.timeSpan", 0);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.pbmode.enabled", true);
user_pref("privacy.trackingprotection.ui.enabled", true);
user_pref("privacy.userContext.enabled", false);
user_pref("privacy.userContext.longPressBehavior", 0);
user_pref("privacy.userContext.ui.enabled", true);
user_pref("reader.parse-on-load.enabled", false);
user_pref("security.OCSP.enabled", 0);
user_pref("security.cert_pinning.hpkp.enabled", true);
user_pref("security.csp.experimentalEnabled", true);
user_pref("security.disable_button.openCertManager", false);
user_pref("security.disable_button.openDeviceManager", false);
user_pref("security.remember_cert_checkbox_default_setting", false);
user_pref("security.ssl.errorReporting.url", "");
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.rsa_aes_128_sha", false);
user_pref("security.tls.version.min", 3);
user_pref("security.xcto_nosniff_block_images", true);
user_pref("security.xpconnect.plugin.unrestricted", false);
user_pref("services.sync.addons.trustedSourceHostnames", "");
user_pref("services.sync.clients.lastSync", "0");
user_pref("services.sync.clients.lastSyncLocal", "0");
user_pref("services.sync.declinedEngines", "");
user_pref("services.sync.fxa.privacyURL", "");
user_pref("services.sync.fxa.termsURL", "");
user_pref("services.sync.globalScore", 0);
user_pref("services.sync.jpake.serverURL", "");
user_pref("services.sync.lastversion", "1.54.1");
user_pref("services.sync.log.appender.console", "Error");
user_pref("services.sync.migrated", true);
user_pref("services.sync.miscURL", "");
user_pref("services.sync.nextSync", 0);
user_pref("services.sync.outdated.url", "");
user_pref("services.sync.prefs.sync.dom.event.contextmenu.enabled", false);
user_pref("services.sync.prefs.sync.extensions.ematrix.cloudStorage.myRulesPane", true);
user_pref("services.sync.privacyURL", "");
user_pref("services.sync.serverURL", "");
user_pref("services.sync.statusURL", "");
user_pref("services.sync.syncKeyHelpURL", "");
user_pref("services.sync.tabs.lastSync", "0");
user_pref("services.sync.tabs.lastSyncLocal", "0");
user_pref("services.sync.termsURL", "");
user_pref("services.sync.tokenServerURI", "");
user_pref("signon.autologin.proxy", true);
user_pref("signon.formlessCapture.enabled", false);
user_pref("signon.importedFromSqlite", true);
user_pref("signon.rememberSignons", false);
user_pref("startup.homepage_override_url", "");
user_pref("startup.homepage_welcome_url", "");
user_pref("status4evar.advanced.status.detectVideo", false);
user_pref("status4evar.firstRun", false);
user_pref("status4evar.migration", 8);
user_pref("storage.vacuum.last.index", 1);
user_pref("storage.vacuum.last.places.sqlite", 1598197230);
user_pref("svg.display-lists.hit-testing.enabled", false);
user_pref("svg.display-lists.painting.enabled", false);
user_pref("svg.in-content.enabled", false);
user_pref("svg.marker-improvements.enabled", false);
user_pref("svg.path-caching.enabled", false);
user_pref("svg.transform-box.enabled", true);
user_pref("toolkit.startup.last_success", 1599840550);
user_pref("toolkit.telemetry.reportingpolicy.firstRun", false);
user_pref("webextensions.storage.sync.serverURL", "");
user_pref("webgl.disable-DOM-blit-uploads", true);
user_pref("webgl.disable-angle", true);
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
user_pref("webgl.disable-wgl", true);
user_pref("webgl.disabled", true);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.restore-context-when-visible", false);
user_pref("xpinstall.whitelist.add", "");
user_pref("xpinstall.whitelist.required", true);
/usr/lib64/firefox/distribution/policies.json, examples and explanation see wiki.kairaven.de
//
user.js (with some internal changes by us, Gooken) from https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
/******
* name: ghacks user.js
* date: 11 Feb 2017
* version: 0.11 FINAL : The [White?] House of the Rising Pants,
* NOTICE: GOOKEN MADE SOME INTERNAL CHANGES!!!
* "My mother was a tailor, she sewed my new blue pants"
* FF version: 51 (DESKTOP)
* authors: FLOTUS: Pants
VICE PRESIDENT: earthling (birth certificate on request)
SECRETARY: Martin Brinkmann
SPEAKER: Tom Hawack
CABINET: Just me, Conker, Rockin´ Jerry, Ainatar, Parker Lewis
* url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
* required reading: http://kb.mozillazine.org/User.js_file
* README/IMPORTANT:
<font color=#ff3333>End users of this list/file are expected to know what they are doing. These are the author´s
settings. The author does NOT expect (or indeed want) end users to just run with it as is.
Use it as a comprehensive list, or as a template for your own.</font> Extensive links and comments
have been added to help. Before using this user.js, if necessary, you should change, remove or
comment out with two forward slashes any preferences you´re not happy with or not sure about.
The settings in this file (user.js) OVERWRITE the ones in your prefs (prefs.js - these are
accessed via about:config) when FF is started. See the required reading above.
* BACKUP FIRST:
Backup your profile first, or even just the PREFS.JS. Go to your profile directory and copy
prefs.js, rename it (eg to prefs.js.backup). That way, if you have problems, to restore FF
to the state it was in beforehand, close FF, delete the prefs.js, rename your backup copy of
prefs back to prefs.js, RENAME the user.js so it doesn´t overwrite everything again, then
start FF. IF you have any problems, you can also ask in the comments at ghacks.
* PURPOSE:
This is not a "comprehensive" list of ALL things privacy/security (otherwise it would be huge)
It is more like a list of settings that generally differ from their defaults, and is aimed at
improving security and privacy, at making a "quieter" FF, and at reducing fingerprinting and
tracking, while allowing functionality. There will be trade-offs and conflicts between these.
* COMMON ISSUES:
Some prefs will break some sites (it´s inevitable). If you are having issues search for
"WARNING:" in this document, especially the ones listed just below.
<font color=#ff3333>This user.js uses the author´s settings, so you need to check these EACH release because
the author prefers anonymity, security, and privacy over functionality [eg being able to
paste in Facebook, downloadable fonts, and other minor inconveniences]. You have been warned.</font>
0202 & 0204 & 0207 & 0208: search, language and locale settings
0903 & 0904: master password (author set his up to last 5 minutes, default is once per session)
1007 & 1008: disabling/reducing session store saves affects recently closed tabs history
1204: security.ssl.require_safe_negotiation
1206: security.OCSP.require
1208: security.cert_pinning.enforcement_level
1209: TLS min and max
1210: disable 1024-DH Encryption
1211: disable SHA-1
1212: disable SSL session tracking
1401 & 1406: browser.display.use_document_fonts <font color=#ff3333>[author blocked fonts]</font>
1404: default fonts <font color=#ff3333>[author changed default fonts]</font>
1805: plugin.scan.plid.all <font color=#ff3333>[author blocked all plugins]</font>
1807: disable auto-play of HTML5 media (may break some sites´ playback)
2025: enable/disable media types <font color=#ff3333>[author´s settings, choose your own]</font>
2201: dom.event.contextmenu.enabled
2300´s: workers/service.workers/push notifications etc may affect twitter, street view and other sites
2402: dom.event.clipboardevents.enabled
2404: dom.indexedDB.enabled <font color=#ff3333>[author killed indexedDB]</font>
2415b: limit popup events
2421: two JS preferences that cause the odd issue (commented out, not worth the performance loss)
2507: keyboard fingerprinting (android + physical keyboard)
2508: hardware acceleration (performance vs lots of video, also fonts render differently)
<font color=#ff3333>[author killed hardware acceleration]</font>
2509: dom.w3c_touch_events.enabled (you will want to change this if you use touch)
2619: network.http.redirection-limit
2627: various User Agent and navigator objects
2662: browser.download.forbid_open_with
2698: privacy.firstparty.isolate
2705: dom.storage.enabled
* THANKS:
Special thanks to Martin Brinkmann and the ghacks community
Lots of websites, lots of people, too many to list but here are some excellent resources
- https://github.com/pyllyukko/user.js
- https://www.wilderssecurity.com/threads/firefox-lockdown.368003/
- http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs
- https://www.privacy-handbuch.de/handbuch_21.htm (German)
******/
// START: internal custom pref to test for syntax errors (thanks earthling)
// Yes, this next pref setting is redundant, but I like it!
// https://en.wikipedia.org/wiki/Dead_parrot
// https://en.wikipedia.org/wiki/Warrant_canary
/*** 0100: STARTUP ***/
// 0101: disable "slow startup" options
// warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_welcome_url.additional", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.laterrun.enabled", false);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.usedOnWindows10.introURL", "");
// 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
// home = browser.startup.homepage preference
// You can set all of this from Options>General>Startup
// user_pref("browser.startup.page", 0);
/*** 0200: GEOLOCATION ***/
// 0201: disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "https://127.0.0.1");
user_pref("geo.wifi.logging.enabled", false);
// (hidden pref)
user_pref("browser.search.geoip.url", "");
user_pref("geo.wifi.xhr.timeout", 1);
user_pref("browser.search.geoip.timeout", 1);
// 0202: disable GeoIP-based search results
// NOTE: may not be hidden if Mozilla have changed your settings due to your locale
// https://trac.torproject.org/projects/tor/ticket/16254
user_pref("browser.search.countryCode", "US");
// (hidden pref)
user_pref("browser.search.region", "US");
// (hidden pref)
// 0203: disable using OS locale, force APP locale
user_pref("intl.locale.matchOS", false);
// 0204: set APP local
user_pref("general.useragent.locale", "en-US");
// 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
// i.e ignore all of Mozilla´s multiple deals with multiple engines in multiple locales
user_pref("browser.search.geoSpecificDefaults", false);
user_pref("browser.search.geoSpecificDefaults.url", "");
// 0207: set language to match
// WARNING: reset this to your default if you don´t want English
user_pref("intl.accept_languages", "en-US, en");
// 0208: enforce US English locale regardless of the system locale
// https://bugzilla.mozilla.org/show_bug.cgi?id=867501
user_pref("javascript.use_us_english_locale", true);
// (hidden pref)
/*** 0300: QUIET FOX [PART 1]
No auto-phoning home for anything. You can still do manual updates. It is still important
to do updates for security reasons. If you don´t auto update, make sure you do manually.
There are many legitimate reasons to turn off AUTO updates, including hijacked monetized
extensions, time constraints, legacy issues, and fear of breakage/bugs ***/
// 0301: disable browser auto update
// Options>Advanced>Update>Never check for updates
user_pref("app.update.enabled", false);
// Options>Advanced>Update>Use a background service to install updates
user_pref("app.update.service.enabled", false);
// ensure update information is not suppressed
user_pref("app.update.silent", false);
// disable background update staging
user_pref("app.update.staging.enabled", false);
// 0302: disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);
// 0303: disable search update (Options>Advanced>Update>Automatically update: search engines)
user_pref("browser.search.update", false);
// 0304: disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);
// 0305: disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);
// 0306: disable add-on metadata updating
// sends daily pings to Mozilla about extensions and recent startups
user_pref("extensions.getAddons.cache.enabled", false);
// 0307: disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);
// 0309: disable sending Flash crash reports
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
// 0310: disable sending the URL of the website where a plugin crashed
user_pref("dom.ipc.plugins.reportCrashURL", false);
// 0320: disable extension discovery
// featured extensions for displaying in Get Add-ons panel
user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");
// 0330a: disable telemetry
// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// the pref (.unified) affects the behaviour of the pref (.enabled)
// IF unified=false then .enabled controls the telemetry module
// IF unified=true then .enabled ONLY controls whether to record extended data
// so make sure to have both set as false
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);
// 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
// is enabled ONLY for people that opted into it, even if unified Telemetry is enabled
user_pref("toolkit.telemetry.unifiedIsOptIn", true);
// (hidden pref)
// 0331: remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");
// 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
user_pref("toolkit.telemetry.archive.enabled", false);
// 0333a: disable health report
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.healthreport.documentServerURI", "");
// (hidden pref)
user_pref("datareporting.healthreport.service.enabled", false);
// (hidden pref)
// 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
// If you have disabled health reports, then this about page is useless - disable it
// If you want to see what health data is present, then these must be set at default
user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");
// 0334a: disable new data submission, master kill switch (FF41+)
// If disabled, no policy is shown or upload takes place, ever
// https://bugzilla.mozilla.org/show_bug.cgi?id=1195552
user_pref("datareporting.policy.dataSubmissionEnabled", false);
// 0335: remove a telemetry clientID
// if you haven´t got one, be proactive and set it now for future proofing
user_pref("toolkit.telemetry.cachedClientID", "");
// 0336: disable "Heartbeat" (Mozilla user rating telemetry)
// https://trac.torproject.org/projects/tor/ticket/18738
user_pref("browser.selfsupport.enabled", false);
// (hidden pref)
user_pref("browser.selfsupport.url", "");
// 0340: disable experiments
// https://wiki.mozilla.org/Telemetry/Experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);
// 0341: disable Mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);
// 0350: disable crash reports
user_pref("breakpad.reportURL", "");
// 0351: disable sending of crash reports (FF44+)
user_pref("browser.tabs.crashReporting.sendReport", false);
// 0360: disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
user_pref("browser.newtabpage.directory.source", "data:text/plain,");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);
// 0370: disable "Snippets" (Mozilla content shown on about:home screen)
// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
// MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
// 0373: disable "Pocket" (third party "save for later" service) & remove urls for good measure
// NOTE: Important: Remove the pocket icon from your toolbar first
// https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/
user_pref("extensions.pocket.enabled", false);
user_pref("extensions.pocket.api", "");
user_pref("extensions.pocket.site", "");
user_pref("extensions.pocket.oAuthConsumerKey", "");
// 0374: disable "social" integration
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);
user_pref("social.enabled", false);
// (hidden pref)
// 0375: disable "Reader View"
user_pref("reader.parse-on-load.enabled", false);
// 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
// https://wiki.mozilla.org/FlyWeb
// http://www.ghacks.net/2016/07/26/firefox-flyweb/
user_pref("dom.flyweb.enabled", false);
// 0380: disable sync
user_pref("services.sync.enabled", false);
// (hidden pref)
/*** 0400: QUIET FOX [PART 2]
This section has security & tracking protection implications vs privacy concerns.
These settings are geared up to make FF "quiet" & private. I am NOT advocating no protection.
If you turn these off, then by all means please use something superior, such as uBlock Origin.
<font color=#ff3333>IMPORTANT: This entire section is rather contentious. Safebrowsing is designed to protect
users from malicious sites. Tracking protection is designed to lessen the impact of third
parties on websites to reduce tracking and to speed up your browsing experience. These are
both very good features provided by Mozilla. They do rely on third parties: Google for
safebrowsing and Disconnect for tracking protection (someone has to provide the information).
Additionally, SSL Error Reporting helps makes the internet more secure for everyone.
If you do not understand the ramifications of disabling all of these, then it is advised that
you enable them by commenting out the preferences and saving the changes, and then in
about:config find each entry and right-click and reset the preference´s value.</font> ***/
// 0401: DON´T disable extension blocklist, but sanitize blocklist url - SECURITY
// It now includes updates for "revoked certificates" - security trumps privacy here
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl
// https://trac.torproject.org/projects/tor/ticket/16931
user_pref("extensions.blocklist.enabled", true);
user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
// 0402: disable/enable various Kinto blocklist updates (FF50+)
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
// As FF transitions to Kinto, the blocklists have been broken down (more could be added). These contain
// block entries for certs to be revoked, add-ons and plugins to be disabled, and gfx environments that
// cause problems or crashes. Here you can remove the collection name to prevent each specific list updating
user_pref("services.blocklist.update_enabled", true);
user_pref("services.blocklist.signing.enforced", true);
user_pref("services.blocklist.onecrl.collection", "certificates");
// Revoked certificates
user_pref("services.blocklist.addons.collection", "addons");
user_pref("services.blocklist.plugins.collection", "");
// I have no plugins
user_pref("services.blocklist.gfx.collection", "");
// I have gfx hw acceleration disabled
// 0410: disable safe browsing
// I have redesigned this sub-section to differentiate between "real-time"/"user initiated"
// data being sent to Google from all other settings such as using local blocklists/whitelists
// and updating those lists. There SHOULD be NO privacy issues here. Even *IF* an URL was sent
// to Google, they swear it is anonymized and only used to flag malicious sites/activity. Firefox
// also takes measures such as striping out identifying parameters and storing safe browsing
// cookies in a separate jar. (#Turn on browser.safebrowsing.debug to monitor this activity)
// To use safebrowsing but not "leak" binary download info to Google, only use 0410e and 0410f
// #Required reading: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
// https://wiki.mozilla.org/Security/Safe_Browsing
// 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
// in FF47 and under this is was titled "Block reported web forgeries"
// this covers deceptive sites such as phishing and social engineering
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
// (FF50+)
// 0410b: disable "Block dangerous downloads" This setting is under Options>Security
// in FF47 and under this was titled "Block reported attack sites"
// this covers malware and PUPs (potentially unwanted programs)
user_pref("browser.safebrowsing.downloads.enabled", false);
// disable "Warn me about unwanted and uncommon software" Also under Options>Security (FF48+)
user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
// yet more prefs added (FF49+)
user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
// 0410c: disable Google safebrowsing downloads, updates
user_pref("browser.safebrowsing.provider.google.updateURL", "");
// update google lists
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
// list hash check
user_pref("browser.safebrowsing.provider.google4.updateURL", "");
// (FF50+)
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
// (FF50+)
// 0410d: disable mozilla safebrowsing downloads, updates
// NOTE: These two prefs are also used for Tracking Protection (see 0420)
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
// resolves hash conflicts
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
// update FF lists
// 0410e: disable binaries NOT in local lists being checked by Google (real-time checking)
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
// 0410f: disable reporting URLs
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
// (FF50+)
// 0410g: show=true or hide=false the ´ignore this warning´ on Safe Browsing warnings which
// when clicked bypasses the block for that session. This is a means for admins to enforce SB
// https://bugzilla.mozilla.org/show_bug.cgi?id=1226490
// tests: see APPENDIX A: TEST SITES - Section 06
// user_pref("browser.safebrowsing.allowOverride", true);
// 0420: disable tracking protection
// There SHOULD be NO privacy concerns here, but you are better off using an extension such as
// uBlock Origin which is not decided by a third party (disconnect) and is far more effective
// (when used correctly). NOTE: There are two prefs (see 0410d) shared with Safe Browsing
// https://wiki.mozilla.org/Security/Tracking_protection
// https://support.mozilla.org/en-US/kb/tracking-protection-firefox
user_pref("privacy.trackingprotection.enabled", false);
// all windows pref (not just private)
user_pref("privacy.trackingprotection.pbmode.enabled", false);
// private browsing pref
// 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
user_pref("privacy.trackingprotection.ui.enabled", true);
// 0430: disable SSL Error Reporting - PRIVACY
// https://gecko.readthedocs.org/en/latest/browser/base/sslerrorreport/preferences.html
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.url", "");
// 0440: disable Mozilla´s blocklist for known Flash tracking/fingerprinting (48+)
// If you don´t have Flash, then you don´t need this enabled
// NOTE: if enabled, you will need to check what prefs (safebrowsing URLs etc) this uses to update
// http://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
/*** 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] ***/
// 0601: disable link prefetching
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ
user_pref("network.prefetch-next", false);
// 0602: disable dns prefetching
// http://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);
// (hidden pref)
// 0603: disable Seer/Necko
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Necko
user_pref("network.predictor.enabled", false);
// 0603a: disable more Necko/Captive Portal
// https://en.wikipedia.org/wiki/Captive_portal
// https://wiki.mozilla.org/Necko/CaptivePortal
user_pref("captivedetect.canonicalURL", "");
user_pref("network.captive-portal-service.enabled", false);
// (FF52+?)
// 0604: disable search suggestions
user_pref("browser.search.suggest.enabled", false);
// 0605: disable link-mouseover opening connection to linked server
// http://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
// http://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links
user_pref("network.http.speculative-parallel-limit", 0);
// 0606: disable pings (but enforce same host in case)
// http://kb.mozillazine.org/Browser.send_pings
// http://kb.mozillazine.org/Browser.send_pings.require_same_host
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);
// 0607: stop links launching Windows Store on Windows 8/8.1/10
// http://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/
user_pref("network.protocol-handler.external.ms-windows-store", false);
// 0608: disable predictor / prefetching (FF48+)
user_pref("network.predictor.enable-prefetch", false);
/*** 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc
Not ALL of these are strictly needed, some are for the truly paranoid, but
included for a more comprehensive list (see comments on each one) ***/
// 0801: disable location bar using search - PRIVACY
// don´t leak typos to a search engine, give an error message instead
user_pref("keyword.enabled", false);
// 0802: disable location bar domain guessing - PRIVACY/SECURITY
// domain guessing intercepts DNS "hostname not found errors" and resends a
// request (eg by adding www or .com). This is inconsistent use (eg FQDNs), does not work
// via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
// as the 411 for DNS errors?), privacy issues (why connect to sites you didn´t
// intend to), can leak sensitive data (eg query strings: eg Princeton attack),
// and is a security risk (eg common typos & malicious sites set up to exploit this)
user_pref("browser.fixup.alternate.enabled", false);
// 0803: disable locationbar dropdown - PRIVACY (shoulder surfers,forensics/unattended browser)
user_pref("browser.urlbar.maxRichResults", 0);
// 0804: display all parts of the url
// why rely on just a visual clue - helps SECURITY
user_pref("browser.urlbar.trimURLs", false);
// 0805: disable URLbar autofill - PRIVACY (shoulder surfers, forensics/unattended browser)
// http://kb.mozillazine.org/Inline_autocomplete
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);
// 0806: disable autocomplete - PRIVACY (shoulder surfers, forensics/unattended browser)
user_pref("browser.urlbar.autocomplete.enabled", false);
// 0808: disable history suggestions - PRIVACY (shoulder surfers, forensics/unattended browser)
user_pref("browser.urlbar.suggest.history", false);
// 0809: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
// This is a PER TAB session history. You still have a full history stored under all history
// default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
// use it as a means of referral (eg hotlinking), 4 or 6 may be more practical
user_pref("browser.sessionhistory.max_entries", 4);
// 0810: disable css querying page history - css history leak - PRIVACY
// NOTE: this has NEVER been fully "resolved": in Mozilla/docs it is stated it´s only in
// ´certain circumstances´, also see latest comments in the bug link
// https://dbaron.org/mozilla/visited-privacy
// https://bugzilla.mozilla.org/show_bug.cgi?id=147777
// https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector
user_pref("layout.css.visited_links_enabled", false);
// 0811: disable displaying javascript in history URLs - SECURITY
user_pref("browser.urlbar.filter.javascript", true);
// 0812: disable search and form history
// Under Options>Privacy> if you set Firefox to "use custom settings" there 
Gooken
Excurs
News&Links
Links
Guestbook
Gooken - the at times breaking full, large "china restaurant"... Do you want the everlasting peace with your computer as a system (backported Fedora Core (fc): updates from year 2010-2026 resp. lifetime) with covering software (backported too) on powersaving and cheap lifetime-hardware, providing the incredible high security level? Contribute to Gooken for the manufacturing of the (consistent) IT-security-standard! For correspondent please click here!
